IIS Webdav Bug

Just wanted to do a quick post to point out a couple good posts on the IIS WebDav bug.  Am I the only one to think its kind of cool to see another IIS bug after spending months upon months of dealing with file format type bugs?

Great and detailed post from Todd Manning over at Breakingpoint (you should follow this blog its great!)

http://www.breakingpointsystems.com/community/blog/slash-and-burn-the-iis-6-0-webdav-bug

and, an amusing post showing yet another consequence of the bug:

http://blog.zoller.lu/2009/05/iis-6-webdav-unicode-bug-that-wont-die.html

PGP Fail!

I received this email the other day.  I don’t have any real commentary to add to this other than my best Simpsons “ha-ha” and the HTML formatted email was a nice touch.. heh

===================================================================

From: PGP Corporation [mailto:ceo@pgp.com]
Sent: 25 March 2009 02:07
To: XXXXXXXXXXXXX
Subject: Email communication earlier today from PGP Corporation

Dear Valued Prospect,

You recently received an email from PGP Corporation as a follow-up to your evaluation of PGP products.  This email erroneously included some 290 email addresses of other evaluation users. This occurred when an employee inadvertently pasted these addresses into the “To” line of the message.  Even as this really was a basic mistake – it is not acceptable to me or the employees of PGP Corporation.

This error was in violation of our corporate policies regarding customer information and customer communications.  It should not have happened and we apologise for this mistake.  PGP Corporation is first and foremost committed to privacy and information security.  We assure you that we are not only examining the mistake itself, but are actively re-examining our training and processes to prevent an incident of this kind from happening again.  As John Leyden of The Register wrote, “since PGP specialises in email security, it can hardly complain if people hold it to higher standards”.  He is right.

If you have additional comments, questions or concerns and would like to speak with me directly, please contact me via phone in the UK, toll free: 08-08-2341889, or in the US, toll free: 888-515-4922.  If you call and get my voicemail, please do leave a message.  I will call you back.  If you would like to contact me via email, send your concerns to ceo@pgp.com.

As a company and as individuals, we are committed to safeguarding customer information and we again express our apologies for this error.  We will do better in the future and we will use this isolated event as a learning experience upon which we improve and strengthen PGP Corporation and its communication practices.

Sincerely,

Phil Dunkelberger
President and CEO
PGP Corporation

NoMoreFreeBugs – ohnoes!

At CanSecWest last week (note to self: write a post about how awesome the conference was) a few well known researchers, Alex Sotirov, Dino Dai Zovi, and Charlie Miller began a movement against “free bugs”.  The basic and over simplified premise is that they feel that security vulnerabilities should not be handed over to vendors for free.  I don’t necessarily agree with this but in reality who cares?  To each their own.  This is really an individual choice.

Of course, this caused a few to scratch their heads and while I am sure there are other really dumb blog posts about this — I thought this one took the cake:

http://www.sophos.com/security/blog/2009/03/3680.html

Not only is the above blog post completely off the mark, but it is clear that the author is very inexperienced in dealing with security vulnerabilities.  Lets look at some of the ridiculous comments made by Ross Thomas of Sophos.

“As one of those users, I have to say I’m not exactly delighted to discover that a so-called security researcher was so breathtakingly cavalier about the safety of my data and the privacy of my personal information. Apparently I’ve been vulnerable to this “idiot-proof” exploit for at least a year, and have only good luck to thank for the fact that no-one used it to drain my bank accounts in the meantime.”

Wow.. talk about raising the level of FUD and so soon in the post.  While we don’t have a heck of a lot of details on the bug (some do have more than others) I can say with a pretty high confidence level that this bug could not be used to “drain” the author’s bank account.  If it could, there would be even less reason to disclose it. 

But wait it gets even worse:

“The point I’m trying to make is that this wasn’t “his exploit” to do with as he saw fit.”

Really?  Didn’t the researcher, in this case Charlie Miller, spend the time to find this bug?  He found the bug and he wrote the exploit.  That does in fact make it his to do with as he pleases.

I guess that is really the entire point that Sophos and Ross Thomas are missing.  While I personally would report any vulnerabilities I find to the vendor, for free, it really is up to the individual researcher to do as he pleases with what he finds.  Afterall, he did put in the work.

“With today’s highly monetized black market for malware authors this kind of bug must not be permitted to exist even for a day, let alone a year”

More FUD!  Security vulnerabilities exist, they always have and they always will.  Get over it.  Bugs exist much longer than days as it takes most vendors months to fix anything and once you have reported the bug to a vendor — it is no longer a secret.  While anyone could have found the same bug and used it for “bad things” no one did.  So what does that tell you?  It suggests to me that the so called “black market” and malware authors aren’t looking as hard or maybe they aren’t as good as looking.

Lets also not forget that users are always slow to patch their machines.  So waiting to report this really has no bearing on anything — especially when this specific bug has not been used in the wild.  Looking at the last few very successful pieces of malware — none of them used a zeroday.  In fact one of the bigger ones (although we all know the shady AV Vendors inflate their numbers) Confiker, used a known and patched vulnerability.  In fact, the trend lately has been, patch released, bad guys reverse patch, bad guys start using vulnerabilities, months later users get around to installing patch.

Perhaps once we start to see more actual zero day being used and lets be honest here, perhaps once AV Vendors start actually offering their users REAL PROTECTION that can’t be easily bypassed then we can cast stones at someone for wanting to be paid for something they do in their spare time.

Sentex Locks

This is a very amusing blog post that I thought I would toss on here. Great find and I am going to test this later today.

Full post from:  http://david.weebly.com/1/post/2009/03/how-to-open-many-keypad-access-doors.html

How to open many keypad-access doors 03/11/2009

14 Comment(s)

Here’s a fun little tip: You can open most Sentex key pad-access doors by typing in the following code:

***00000099#*

The first *** are to enter into the admin mode, 000000 (six zeroes) is the factory-default password, 99# opens the door, and * exits the admin mode (make sure you press this or the access box will be left in admin mode!)

I’m not sure how prevalent they are, but here in San Francisco, Sentex building access systems seem to be the most popular.

Corporate Shilling via “Tech Mag” Blogs

Today I read a Blog post that, in my opinion, was pretty suspect when it comes to the whole debate around ethics in blogging.  While it is a reality that all of us have multiple “gigs” from our daily corporate grinds, to side consulting, to getting paid to Blog (note I don’t get paid to Blog) we should all be smart enough to not let them interfere with each other.  But what happens when you blur those lines of common sense and use one gig to promote another?  Is that not unethical?  Should writing for ZDNet, albeit a Blog, not make you some sort of “reporter” (using the term very loosely) and shouldn’t you resist the urge to pimp your other gigs?

Sure, in this case the author, called out that he works for the company in question but that doesn’t excuse the fact that he basically inserted a mostly ignored press release in to his PAID ZDNet Blog under the guise of following a “twitter user’s request” and “just helping out”.  While I don’t have anything against Adam personally, and I am sure Cloudmark makes a great product — how dumb do they think ZDNet readers are?  Wait don’t answer that….

Sorry but I call bullshit.  This was simply an attempt to gain more attention for the day job’s press release and really no different than the Security Companies we all have made fun of in the past for posting fake mailing list posts talking up their own products.

One less trusted resource I suppose…

L0phtcrack is back!!!

Check out this post over at Space Rogue’s blog.  Looks like we will finally see a new version and maybe some updates to L0phtcrack.

Great job Mudge, Dildog and Weld

So much LOL over this post

This is amusing on a few different levels:

http://www.the-interweb.com/serendipity/index.php?url=archives/118-IT-Security-Girl-of-the-Year.html&serendipity

and then

http://www.the-interweb.com/serendipity/index.php?/archives/119-FRHACK-organizers-are-now-threatening-to-sue-me.html

Oh and the image in question:

XBox Live DDoS Attack only $19.95

Here is a horribly written article complete with FUD terms like “underground packet sniffing software” that was written based off of an equally bad article.  I wonder, does this make a horrible BLOG post? 

Anyways, the whole premise of the above is that “hackers” are performing a DDoS attack service for sore loser gamers on the XBox Live network.  While the articles and the quotes in the articles make is sound like some amazing accomplishment it really is not.  To do this requires almost zero skill, of course you need access to your very own botnet but these days those are not hard to come by and “borrow”.

Basically, one must simply sniff their XBox Live connection and, depending on the game (I believe and correct me if I am wrong that some games like EA games do not do direct connections but go through the EA servers), gather all of the IP addresses connecting to your network.

Now you have a choice, you can attempt to social engineer your way to the exact user you wish to DDoS or simply attack the entire group.  I mean it would be pretty simply to identify the geographical location of the IP address then simply say “Hey where is everyone from” and then make some guesses from there.

The whole thing is pretty lame as far as gamers go.  I mean what happened to losing the old fashioned way?  Yelling “your mom” jokes at the person who just beat you?

One of the articles mentioned something about sending the DDoS attack at the “Xbox Live port” (I can’t be bothered to double check which one) when in reality you need to simply just take out the person’s connection and not target any specific application which as we all know is simple enough to do.

Anyways, back to playing Afro Samurai on my 360.

ZOMG! World’s Greatest h4×0r!!!

Today Fox News an “article” about how the “worlds greatest hacker” would compromise President Obama’s Blackberry.  If you want to waste some time you can read the full article here:

http://www.foxnews.com/story/0,2933,492705,00.html

Lets take a look at some of the FUD in this article.  First the headline itself, “Worlds Greatest Hacker”.  Where to start withthat one.  Was there some sort of competition recently where every hacker in the world got together to prove their skills?  Did we have the Hacker Oscar Awards and hand out trophies?  Regardless of who’s name is associated with this title, it is in fact extremely silly but as you will see required to build the level of fear uncertainty and doubt which is no doubt required in order to read this article.

Despite warnings from his advisers, the president insisted on keeping his beloved PDA, which now has specially designed superencrypting security software.

Superencrypting security software?  Thats right.. not just encryption but SUPERencryption. Encryption so SUPER it can leap buildings and give homeless people houses in one swoop. 

But even this SUPERencrypting software has it’s Lex Luthor.  But this time it is none other than Kevin Mitnick and according to this article Kevin is full of.. ummm.. Kryptonite.

But that just makes cracking into it more challenging — and, yes, it can be done, says the world’s most famous hacker.

“It’s a long shot, but it’s possible,” Kevin Mitnick told FOXNews.com. “You’d probably need to be pretty sophisticated, but there’s people out there who are.”

…

Mitnicksaid someone with access to Obama is much more likely to be targeted by hackers because their networks, particularly those used at their homes, would be much less secure than those used by the commander-in-chief.

Once armed with Obama’s coveted e-mail address, a hacker could theoretically send an e-mail to Obama in an attempt to lure him to a Web site that has previously been breached in order to transfer “malicious code,” Mitnick said.

This make sense obviously, I mean it doesn’t take the world’s greatest hacker to understand that a social engineering attack is really the way to go in this case.  Send the device an email from a “trusted” address and hope that they are naive enough to open the attachment or click on the link.  BUT, we are talking about a Blackberry device here meaning your run of the mill malware is not going to work and you had better have some skills and knowledge around the RIM platform.  Considering the target, this is not beyond the realm of possibilities.

Although again considering the target one would assume that some pretty heavy security awarness training has been given.  So far the article isn’t actually that bad but then Fox News decides to ignore technical accuracy with this gem:

Chris Soghoian, a student fellow at Harvard University’s Berkman Center for Internet and Society, agreed that the most likely route to Obama’s BlackBerry would be to trick the president into visiting a pirated Web site.

Pirated web site?  You can pirate web sites now?  I suppose I could make some room on my hard drive between all of the pirated software, movies and music for some pirated web sites.  Pretty sure they meant compromised web site in this case.  Doesn’t that seem like a lot of work?  I mean, first identify a web site your target is likely to visit it then “pirate” it.  There are other, much easier was to do this.

These are attacks when you visit a Web site, and within seconds, it hacks into your computer and forces it to download viruses,” Soghoian said. “In many cases, people get infected by using out-of-date browsers.”

Soghoian said he suspected that the likely culprit wouldn’t be a hacker who targets computers for notoriety or fiscal gain, but rather a foreign government looking for classified information.

OMG.. within seconds you get hacked just by visiting a web site!!  Obviously we have all seen examples of this sort of attack but to me the wording sounds like nothing more than fear mongering.  But note they said “outdated browsers”.  Last time I checked (just now) the options for a web browser is very limited on a Blackberry.  Mine runs both the built in RIM supplied browser as well as Opera Mini.  So, sure there is an attack surface there but that is assuming they allow Mr. President to surf the web from his device which to be honest sounds pretty far fetched.  In fact, I would bet that the device Obama uses is very limited in what functions it performs and is in fact locked down to the point that the web browser is removed as well as other basic functions like installing software.  But that is just a common sense guess.

But wait, all of this focus on Blackberry devices by the media and we do not even know for sure if that is what the device in question is.

“Nobody has really said with certainty what device he is actually using,” said Randy Sabett, a partner at Sonnenschein Nath & Rosenthal LLP and a former NSA employee. “That right there is an important subtlety. The less information known, the better.”

So here we have an article based completely on an assumption of what device the President may be using.  While I suppose it is a good assumption based on various photos it is still an assumption and while we all know that security through obscurity does not work and something tells me that it is only a matter of time before we all know for sure what the device actually is.

So does a BLOG post about an article that is about nothing actually exist?

Seeing how the big bad well funded Fox News cannot get things right, I reached out to Kevin and got his permission to publish the following from an email:

I did not pick the title so don’t blame me!

Second, I told this reporter numerous times that I don’t believe Obama uses his Blackberry device for anyclassified communications– that should be a no brainer, right?

I did, however, share some attack scenarios that are feasible. One example below I used to surveill the FBI when playing the fugitive game– which would likely work today.

Objective: Identify Obama’s current cellular phone number (SIMPLE)

1.  Compromise his past provider (he’s likely to be using the same one).
2.  Obtain past (3 months) billing records (call detail records)
3.  Compromise (current) provider and perform terminating number searches for any mobile device that has dialed or received calls from the same numbers on Obama’s past billing records.
4.  Maintain a list of suspect devices (mobile handsets) for further analysis
5.  Analyze each suspect device’s call detail records looking for a similar pattern of call traffic (incoming /outgoing)
6.  Narrow the list of devices down to similar call patterns
7.  Pull the subscriber data (billing name, address, contact #, device info (IMEI, SIM info) or (ESN if CDMA provider)
8.  Use mobile operator’s intelligent network to find where the device is registered (in real time)… Is Obama near that location?

Once Obama’s cellular number is identified the attacker can acquire his text messages by compromising the smsc (orable db) at  the provider, determine his location via cell tower registrations, and his capture call traffic ( via real time CDR).
 
Objective: Obtain Obama’s email address. (SIMPLE)

1.  Identify Obama’s close circle of friends and family.
2.  Compromise these target systems (phishing, wifi, etc) and install a trojan
3.  Steal authentication credentials stored on target system or via keylogger (web based email)
4.  Watch email communications.. eventually the attacker may hit pay dirt.

As far as compromising his BB device, I said it would be difficult but not impossible depending on whether he uses BB’s browser. The possible attack scenario I explained to the reporter was:

1.  Identify vulnerability in BB’s browser that allows execution of arbitrary code.
2.  After compromising his provider, identify what sites Obama visits on his BB (this can be logged by an attacker in the providers intelligent network.)
3. Identify the sites visited that are not so popular (minimize the potential victims) and compromise these targets.
4. Plant exploit code to execute payload– whatever that is…
5. Wait… and see what happens.

I brought up some others but the article omitted most of what I discussed… go figure…

Anyway, Happy Friday the 13th…

Kevin

All of what Kevin said above is of course plausible but far be it for Fox News to care if they get anything right vs. just publishing some oversensationalized article.  Besides, as another friend of mine pointed out, isn’t the Blackberry Enterprise Server (BES) a more juicy target with a much larger attack surface?

Guess what this could be about…

What we have here is a bunch of self important blowhards giving each other a reach around so they can all feel relevant and important. But guess what people, no one cares about your opinions that are either wrong or simply re-hashed opinions from 10 years ago. You have made no difference and you won’t make a difference. None of us will.

You can quote me on that…