Sunday, March 30, 2008

It's time To Build Own Firmware !

Hi Folks, today the greatest news in my opinion is the iPhone PWNAGE !
Yes, Dev-Team has just done it ! Now you might build your own firmware based on Apple's one. It's extremely easy and user-friendly, right now it works "only" with MacOS 10.4.x and 10.5.x. Watch it !



That's amazing doesn't it ? The history is repeating itself.... I've seen the same "step sequence" in humax 5400(z) [hacking sky cinema and so forth], in PlayStation and XBOX [hacking before just a game and then building a complete personal boxes]. Before you try to hack the current softwares and then you want to replace the whole software with a personal one. I like this kind of stuff and I like who's investing time on that. Thank you guys.

More details:

The software is a self contained application (for MacOS 10.4.x and 10.5.x) that allows all current models of the iPhone device to be “Pwned”. This term (in relation to this software) refers to the patching of the stock bootloader so that it will allow the execution of unsigned code and circumvent code-signing checks. “Pwnage” only needs to be performed once to allow the additional features on the iPhone.
The application also processes and modifies existing Apple archives so that unique, custom rolled firmware bundles can be installed onto the “Pwned” iPhone directly from iTunes.
These ”.ipsw” files can be created and patched by the application to allow third-party modifications such as activation, application installation, baseband modification, custom phone graphics etc.
The tool works automatically on box-fresh (OTB) 1.1.3 and 1.1.4 iPhones and requires minimal interaction from the user.


Just one more question:
Where can you find this ? Here it is !

Enjoy and Stay Tuned !

!! UPDATE !!
pwnage has been delayed, here the news.

Saturday, March 29, 2008

MacBook Air Owned In 2 Minutes

That's true.
At CanSecWest 2008 conference, security mans have shown how to get into a new MacBook Air through undisclosed Safari Vulnerability. They have won $10.000 for showing that, of course.


Charlie Miller pwns a MacBook Air at CanSecWest. (Credit: TippingPoint)


The Vulnerability has been acquired as a 0Day and then submitted to Apple which is hardly working on. You can track the vulnerability on: Zero Day Initiative upcoming advisories page under ZDI-CAN-303.
The 0day is still secret but it comes out one day after SECUNIA shown two safari vulnerabilities:
1) An error when downloading e.g. a .ZIP file with an overly long filename can be exploited to cause a memory corruption.
Successful exploitation may allow execution of arbitrary code.
2) An error in the handling of windows can be exploited to display arbitrary content while showing the URL of a trusted web site in the address bar.
I've found a nice Proof Of Concept Here (Hack Your Safari). So maybe the MacBook Air's 0Day could be correlated to these ones? Who knows :) .....
Anyway, that's amazing ! I love this kind of conferences, where you might see the most (lemme say like that) underground side of security. You might also learn a lot and know lots of no famous but extremely good security researchers, moreover It's a perfect place to build good human's links.

Tuesday, March 25, 2008

A Different Web Application Testing Suite

Testing web applications, it's pretty time-expensive and needs the correct utilization of web proxies.  SecurityCompass released a different toolkit, named XSS-ME and SQL INJECT-ME which perform a XSS and SQL INJECTION testing directly on-Fly (without interacting to web proxies ) as a FireFox plug-in.

XSS-ME :  is the Exploit-Me tool used to test for reflected Cross-Site Scripting (XSS) vulnerabilities.


SQL INJECT-ME: SQL Inject-Me is the Exploit-Me tool used to test for SQL Injection vulnerabilities.


You can read more here and here. Actually I got no time to try them, so if someone is going to try this new toolkit please let me know about the main differences between SecurityCompass solution and , for instance,the current de-facto standard OWASP framework. Thank you guys !

Monday, March 24, 2008

PHP 5.2.5 and prior : *printf() Integer Overflow !

Hi folks, today I focused my attention on this topic: PHP 5.2.5 and prior sprintf() integer overflow. SecurityReasons discovered this important vulnerability and published the advisory on its own site, here.
*printf() is used to format strings.
Any C programmer knows that those functions assume long strings, and where it is necessary to limit or truncate the strings before passing it to memory. Usually those functions can trigger security holes in the form of overflows. The reason for this is really obvious: If the data that is being passed to memory comes as user supplied data, it needs to be treated before you pass it.


Following the complete advisor:





Again, it seems impossible that someone might find this kind of bugs; what I mean is that this vulnerability's typology  is pretty old (I'm referring to old C functions) and, so far, it should be a well known security background which everybody should have. I'm wondering what happen if the security engineers don't remember old and commons mistakes ? We will remake the same errors ?  Anyway, thank you to SecurityReason's guys who discovered this important vulnerability.

Friday, March 21, 2008

New Jersey Election Discrepancies

Hi Folks, this morning I wanna point out this incredible fact. I 've just found from freedom-to-tinker these important documents which show the Sequoia AVC disease. The evidence of errors is clear in the "summary tape" printed by Sequoia Voting Machine. The following picture represent the total votes casted for candidate.




As you can see the on the Democratic side, the tally is Obama 182, Clinton 179 while on the Republican side it's Giuliani 1, Romney 13, McCain 40, Paul 3 and Huckabee 4. Right now nothing strange. (I mean , aving the results of the ballot isn't save, Covert Channel Attacks .... anyway this's another topic). But, if you try to analyze the result paper you'll agree with me that something doesn't work. Lemme show.



Above is the “Option Switch Totals” section, which shows the number of times each party’s ballot was activated: 362 Democratic and 60 Republican. Something doesn't work. Lemme counts what's happening.
On one side: 1+13+40+3+4 = 61 and not 60 !! 
On the other side 182 + 179 = 361 and not 362 !!!



That's amazing, the totals are right but the singular tally counts are wrong. I wanna point out that this's a really big problem, if each machine makes this kind of mistakes, at the end of the election's day there will be huge wrong results. Moreover we don't know which is the nature of the problem, I mean, in this case the Democratic gain 2 more votes, but who assure us that the Machine's errors will be linear ? What will happen if the error is exponential ? I totally agree with all the people who say:

What’s alarming here is not the size of the discrepancy but its nature.


It's not all.
What you can observe from the results, a lot (all?) of results are wrong and a lot of (all?) counts are in favor of Democratic party. Again it's not all !!! According to freedom to tinker (cited above) , Sequoia's vendor is trying to prevent any independent investigation of what happened sending this kind of mail, also quoted below.



Dear Professors Felten and Appel:

As you have likely read in the news media, certain New Jersey election officials have stated that they plan to send to you one or more Sequoia Advantage voting machines for analysis. I want to make you aware that if the County does so, it violates their established Sequoia licensing Agreement for use of the voting system. Sequoia has also retained counsel to stop any infringement of our intellectual properties, including any non-compliant analysis. We will also take appropriate steps to protect against any publication of Sequoia software, its behavior, reports regarding same or any other infringement of our intellectual property.

Very truly yours,
Edwin Smith
VP, Compliance/Quality/Certification
Sequoia Voting Systems



At the end, Sequoia issued a memo explaining what happened. Actually I have no comments (or maybe too much......) on this document, please watch out it alone. 

Just last thought: Is It Sequoia the new Robin Hood ?

Thursday, March 20, 2008

Defacements

Hi Folks, today I gotta observation about the current defacements per Operative System.
It's still a fashion saying that Microsoft machines are insecure if compared to Linux machines, but what I figured out from the following diagram is the opposite.



From authoritatve zone-h statistics seems that Linux Server machines have been defaced more times then Windows ones. The numbers are so clear; (2007) 139502 machines have been defaced in windows domain and 306076 on Linux domain. In average one windows machines for 2,.. Linux ones. That's cool, and what I wanna say so far is that windows isn't insecure by default, some time.... is only a geeky fashion.
On the other hand, it dues to say that the major vulnerabilities are platform independent, they don't depend from Web Server or from the platform but they are depending from the distracted software implementation which is often the principal vulnerability cause.

Everybody needs to watch out about WebServices' security issues, for instance checking OWASP guideline and designing software keeping in mind the security aspect that every project must have. I believe we'll never know what is the securest system, because the most spread vulnerabilities (actually) come out from bad user applications, so in this case Microsoft seems to be more secure then Linux but again, it depends on the total number of user's applications that were running on the tested machine. So makes this graph sense ? I mean,... do you think that this graph is really useful to judge the current security scenario ? What it needs to be really useful ?

Wednesday, March 19, 2008

Safari Denial Of Service.

Yet, another loop able to build a complete and working attack !
Scripts like the following one are already known to be very injurious for web browsers, but even if everybody knows that, it's still a big problem to current web browsers.


via here

The presented vector uses the character "ā" to fill the buffer and the escape function to encode it ! Again, that's amazing finding these kind of bugs inside the 2008 browser technology..... It's a kind of cool.

Animoto.

Hi folks,
today I found another really cool project to analyze; ANIMOTO .




Animoto Productions is a bunch of techies and film/tv producers who decided to lock themselves in a room together and nerd out.

Their first release is Animoto, a web application that automatically generates professionally produced videos using their own patent-pending technology and high-end motion design. Each video is a fully customized orchestration of user-selected images and music. Produced on a widescreen format, Animoto videos have the visual energy of a music video and the emotional impact of a movie trailer.

The heart of Animoto is its newly developed Cinematic Artificial Intelligence technology that thinks like an actual director and editor. It analyzes and combines user-selected images and music with the same sophisticated post-production skills & techniques that are used in television and film.



I'm really curious about Cinematic Artificial Intelligent ... What's it ? Do you have some links about it ? I've never heard about this kind of artificial intelligence and I'd like know more..

Is Yahoo Under Attack ?

Today is going on a news about Yahoo infections. It seems the same attack of facebook, the user simply viewing Yahoo mail page and suddenly, RogueIframe trojan.


Here the original link.

It's more and more dangerous allowing a third party JavaScript applications even if the sources are apparently trusted.

Monday, March 17, 2008

Again,it's cracking

Yet another cracking history:
Oyster cards, the high-tech RFID swipe cards used to gain access to the London Underground, have been pwned.
I wanna replace the Schneier's words : "when will people learn not to invent their own crypto?". The company used a proprietary encrypt algorithm preserving the security through algorithm obscurity.





"The research team was able to obtain the card's proprietary encryption scheme by physically dissecting its chip and examining it under a microscope. They then photographed various levels of its circuitry and used optical recognition software to produce a 3D representation of the entire chip. By examining the logic gates in great detail, they were able to deduce the proprietary algorithm, which NXP dubs Crypto1."



Here the entire paper.

Via Bruce Schneier blog.

Saturday, March 15, 2008

iPhone Freedom

Finally the definitive software to Unlock Jailbreak Install APP and so forth. Here it is !





iPlus just got better with the latest release from ipluspwns.com. iPlus is quickly becoming the definitive tool for unlocking, jailbreak and activation of the iPhone. If you aren't already familiar with iPlus you need to check it out. Why choose iPlus? iPlus uses BL 3.9FakeBlank for bootloader downgrading. This means that the process is fully reversible (unlike some other tools), giving you the peace of mind that you can go back to where you started if you feel the need!



Thank you guys !

That's Cool

Hi Folks, this morning Marco showed me this amazing hack.



Watch it, it's a clear example of Library Buffer Overflow found inside an action game. You know, finding BoF inside the main pieces of a program is easier, finding BoF inside a library (i.e. which provide action as in this video), is much difficult ! Yet another BoF but good job guys, is the first BoF attack on Wii platform that I've ever seen. Awesome !

Thursday, March 13, 2008

Italian Security Landscape

The first sentence: I'm disgusted.
Hi folks, today I've been very frustrated after a security talk in Bologna University @ Cesena. Today a Ravenna's "big" company took a talk in our university about their security vision. The talk was a totally mess. The talker ( security chief ) used a poor and wrong security language miss-understanding some of fundamental security words, like for example: Hacker, Intruder, Exploit Kid and so forth. He presented a non clear vision, jumping from one slide to another without any logical step, he talked about state firewall and about "Http Firewall" ( what's that??) tracing some definition of Intrusion detection saying that is the same thing of a state firewall (are you crazy?). He presented the Security Engineering professional profile as a man who has to use some already made products, called bricks ! He didn't understand what a penetration testing is, he didn't realize what a red teaming is and what kind of security engineering is required in the world so far. He presented a totally wrong graph where he explained that BoF is the more dangerous rather then a "sql-injection" (it's just a stupid example) because most spread without thinking that is through sql-injection that an attacker may cause an BoF [Marco Ramilli, Buffer Overflow Technique, ICT-Security]. Again, lots of wrong graphs and lots of wrong sentences that I don't wanna write in my blog.
I'm really sad, this company (I dont wanna say the name) is working for Ferrari, Banca Intesa, Banca San Paolo, lots of big and rich Italian companies. It's unbelievable that big companies like that are abandoned to this "security company". 
Again, I'm really sad. Lots of companies that wanna make security but don't know anything about it. They (he) didn't know any kind of security books and they didn't know about any kind of security literature. The security chief is a physician converted into an security engineer. Actually I'm thinking on a technical paper written by Stefano Zanero about a similar topic. I don't remember which is the paper and where you can find it but he said something like that:
" In our country lots of companies wanna make security, but only few are able to think in security, being a good security companies " (It's not the exact sentence, just a little memory about his technical report). I totally agree with him.
Yet, another bad history.

Wednesday, March 12, 2008

Copy and Paste on iPhone

Hi guys,



I know this isn't a great top security news, but how many of you gotta iPhone and wanna use "Copy and Paste" functionality ? I'm an iPhone user and the impossibility to use-it, it's very frustrating. So welcome iCopy.


iCopy is the first (that I know of) application for the iPhone and iPod Touch that allows you to copy and paste text and URL's between web pages. You also have the option of emailing copied text or URL's.


How it works ? Following Videos show the basic iCopy skills, enjoy your Copy :)




Tuesday, March 11, 2008

Prime III: Is It The Secure Voting Machine ?




Hi folks, today I focused my attention on Prime III, the "most secure" Voting Machine which has been ever built :-) (watch the video, please) . At first eye the system appears really well designed. The voter may vote by touch screen and/or by voice in a very intuitive way. If the touch screen has been compromised the voter uses the microphone to express her will. None can understand what the voter is doing because the Prime III links randomly the candidate's names with number of BEEP that the voter may use to cast the ballot. So for example if there are two voters at the same time that wanna vote for the same candidate they will speak different sequences of BEEP. Moreover Prime III utilizes a dynamic imposter file organization which dynamically generates random signed ballot file into a complex folders system, where only one is the correct one. The real vote folder is determined by an input key set by the election administration official. The whole system runs on SELinux versions where takes the logs informations if necessary.




The system has been designed from the Department of Computer Science and Software Engineering at Auburn University, inside the Human Center And Computing. For this reason this system is unquestionably one of the most user-friendly and easy to use voting device. As they said eve a blind man will be able to put his vote, and this to me is amazing ! As you can see in the following image the user interface is really easy and with only one race per page, in that way is easier to figure out the correct button to press down.



At last but not least the Prime III has an easy system of video record that proves the correctness of the vote whenever there is necessity. The system doesn't record the physical voter but it records her voice and the screen giving a Video Voting Verify.
So.. it's really secure this system ? I'm going to analyze it, with a great read team.... we will see ! ;-)

Monday, March 10, 2008

No WAY !!!

Pentagon attackers stole 'amazing amount' of sensitive data.
from theregister .  

According to some security posts ( actually I don't remember which ones ) over the net, this article might make you hurt, so please be careful during the reading even if you got a strong hart, it's very disgusting. 

Yes, I'm back

Hi folks, I'm back in Italy. I have no idea about how much time I'll be here but now I'm here. After a really scary flight from San Francisco to Philadelphia where the wind was traversal and powerful the next one from Philadelphia to Milan was extremely flat and noiseless.
Anyway, this morning I wanna point out this incredible Flash script. Do you remember the xeyes application presents on different Lunux Distributions ? This is an improvement it's awesome don't you think ?



This nice girl will follow your mouse pointer, with eyes, mouth, face and neck ! That's wonderful !

Thursday, March 6, 2008

Coming Back.

Hi folks,
I'm sorry but for some days I'll not upgrade my blog because I'll travel along the world :). A long flight from San Francisco to Philadelphia and another even longer from Philadelphia to Milan and then car to Cesena. Last time that I flu with U.S Airways my flight takes 4 days from Milan to San Francisco with a lost Luggage and two missed plane. Now I hope the travel will be really different and I hope that 15/16 hours will be enough. But... as my friend Ryan usually says ..... Who Knows ?? HeHe. Anyway, I will stay for another wile in Italy (one of the best places in the world) working on Security in Network Security Laboratory. And why not if some companies needs a Security Engineer for a wile, it will be welcomed. Then ? I will travel, as usually.




I'll start to write again from next week, probably from Monday morning (Whatever morning will mean ).
So... so far, thank you California see you soon. I will back !

Wednesday, March 5, 2008

MXTube: Downloading YouTube Videos On Your iPhone


Hi folks, today I wanna point out this interesting work by Max Weas and Pumpkin (actually it's still down..) named MXTube. Thanks to this little software you should download video from YouTube and play them on your iPhone. The idea is great but unfortunately the current version has some problems which deny the correct videos visualization .
So, the downloading phase seems to work fine, but the 'built-in' video player crashes several time, making impossible the correct visualization of the downloaded video. I hope that an upgrade is coming soon. In the meanwhile I'll not delete MXTube.

Surveillancesaver: Windows and MAC



Very nice Screen Saver for OS X and for Windows, shows live images from surveillance cameras. You can download it here.


SurveillanceSaver is a screensaver for OS X and Windows that shows live images of over 400 network surveillance cameras worldwide. A haunting live soap opera.


Via m05.

Tuesday, March 4, 2008

MMS For iPhone ?

Yep, another great project.
Receiving and writing MMSs is not impossible if you gotta iPhone. You know, with native (naive) iPhone it's impossible performing this task and so swirly said: "I will do it !". Here we go ! He finished to write this wonderful application . Here the written sourceand here the Installer's one ;).

TrueCript: New Version.



It's with pleasure that I announce the new TrueCript Version !
it's a free open-source disk encryption software for Windows Vista/XP, Mac OS X, and Linux .It's one of my favorite software really cardinal for the security of your data ! get a look !

Main Features:
Creates a virtual encrypted disk within a file and mounts it as a real disk.

Encrypts an entire partition or storage device such as USB flash drive or hard drive.

Encrypts a partition or drive where Windows is installed (pre-boot authentication).

Encryption is automatic, real-time (on-the-fly) and transparent.

Provides two levels of plausible deniability, in case an adversary forces you to reveal the password:

1) Hidden volume (steganography – more information may be found here).

2) No TrueCrypt volume can be identified (volumes cannot be distinguished from random data).

Encryption algorithms: AES-256, Serpent, and Twofish. Mode of operation: XTS.

Inside American Rest Room.

These picture are really funny ! I've founded them inside some rest room in California !



Guys have you ever used your laptop inside a public bathroom ? I've never done it... but perhaps some one do that !



And it's mandatory washing your hands too ! It's the Low !
I love US, it's the most multi-cultural place in the world and only here you can find the most strange things made as a result of a cultural fusion.

Saturday, March 1, 2008

OS X security threat .



(credit: CNET)

Hi folks, this is another amazing research.
Yep, I wanna say "research" because this kind of stuff often have a bigger impact in the community then more-scientific papers.
Anyway the password discovery has been possible thank a small "EFI memory scraper" (written by William Paul) which ran from a external PC through Apple's NeetBoot. EFI collected something like 1.25GB file where they found the administrator credential !




(credit: CNET)

Here the complete link (news.com), with pictures and some not detailed explanation ! What does Apple do ? Actually nothing :) According to news.com Apple has confirmed a security glitch that, in many situations, will let someone with physical access to a Macintosh computer gain access to the password of the active user account. But no security update, so far.