Tuesday, December 30, 2008

Making the theoretical possible

I'm looking forward to see the "big" talk.



Watch it here .

Monday, December 29, 2008

Windows Media Player Integer Overflow.

Hi Folks, today a Windows Media Player Integer Overflow exploit comes out.
"Windows Media Player 11 for Windows XP offers great new ways to store and enjoy all your music, video, pictures, and recorded TV. Play it, view it, and sync it to a portable device for enjoying on the go or even share with devices
around your home—all from one place."
The author (laurent gaffiƩ) found that Windows Media Player fails to handle exceptional condition when parsing a malformed WAV,SND,MID file. Which can lead to a remote integrer overflow.

The canonical wave heap format is the following:



Where:

The canonical WAVE format starts with the RIFF header:

 ChunkID Contains the letters "RIFF" in ASCII form (0x52494646 big-endian form).
ChunkSize 36 + SubChunk2Size, or more precisely: 4 + (8 + SubChunk1Size) + (8 + SubChunk2Size) This is the size of the rest of the chunk following this number. This is the size of the  entire file in bytes minus 8 bytes for the two fields not included in this count: ChunkID and ChunkSize. 8 4 Format Contains the letters "WAVE" (0x57415645 big-endian form).

The "WAVE" format consists of two subchunks: "fmt " and "data":
The "fmt " subchunk describes the sound data's format:

Subchunk1ID Contains the letters "fmt " (0x666d7420 big-endian form).
Subchunk1Size 16 for PCM. This is the size of the rest of the Subchunk which follows this number. 20 2 AudioFormat PCM = 1 (i.e. Linear quantization) Values other than 1 indicate some form of compression.
NumChannels Mono = 1, Stereo = 2, etc.
SampleRate 8000, 44100, etc.
ByteRate == SampleRate * NumChannels * BitsPerSample/8
BlockAlign == NumChannels * BitsPerSample/8 The number of bytes for one sample including all channels. 
BitsPerSample 8 bits = 8, 16 bits = 16, etc.
ExtraParamSize if PCM, then doesn't exist
X ExtraParams space for extra parameters

The "data" subchunk contains the size of the data and the actual sound:

Subchunk2ID Contains the letters "data" (0x64617461 big-endian form).
Subchunk2Size == NumSamples * NumChannels * BitsPerSample/8 This is the number of bytes in the data. You can also think of this as the size of the read of the subchunk following this  number.
Data The actual sound data.


The exploit builds the following heap:




Which makes no sense. In fact, if you keep a normal WAVE heap looks like that:


Every single byte of the "exploit made" WAVE file  is bad formed, no RIFF, no WAVE, no fmt, nothing. An integer overflow comes out during the execution of this "bad formed" multimedia file which eventually allows a remote user to run arbitrary code on victim's  machine. The correct header should start with "52 49 46 46" and should have on byte 9 through byte 12 the word "57 41 56 45" ("WAVE") followed by "66 6d 74 20" ( fmt ). The following image should explain in a easy graphic way what I meant.


It's very strange discovering that Microsoft makes this mistakes. At the end of the day, with respect to laurent gaffie's work, this bug is a well known integer buffer overflow due to a missed control on a (probably) "error check" 's loop counter. Microsoft should know this problematics.

Sunday, December 28, 2008

Dolphin-EMU for MAC

Dolphin is a great WII emulator but it runs only on Windows machine. So if you got a mac you need to emulate Windows. As you might guess it's pretty hard to play a game emulated twice. For this reason I decided to download the sources and to compile it over mac (Intel). Apparently it seems working :





If you get a right masterkey.bin and if you try to run a good .iso a lot of errors come out. Moreover there is no way to change the configuration plugins to improve (and to run) the visualization.



Dolphin still doesn't run over MAC . I will work on it during my netx free days.

Saturday, December 27, 2008

Introduction to Emulators

Hi Folks, during these days, I've been working on some emulators stuff .
There are many places where you can find lots of information about emulators but most of all are just fake web site that wanna steal your money. The first site that I suggest is EMU-ZONE where you might find some useful notes on all type of emulators. Another great place to look out, if you're looking for a emulator which runs over MAC OS X, is victoly . Here you find everything you need to emulate every platform on you own MAC.
There are emulators for each console, using a simple Torrent Client you'll have no problem to download the ROM to play with, BUT there is still a mystery over the WII emulators.



On one hand there are plenty wii fakes around the net, like for example the following one:



On the other hand there are also lots of site that write about new wii emulators, like for example: WIIEMU, Nintendo WII Emulator, EMUWII, The Vintage Gaming Network
and WIISO. If there're so many people working on it and speaking about it, at-the-end-of-the-day is there someone who can emulate WII over a PC ? Unfortunately each of this sites says nothing really useful to emulate Nintendo WII. So what I've seen: surf to WIISO.com to download the ISO torrent of the "ripped" games (a WII game is more than 4GB, so this process will be pretty slow) and use Dolphin to emulate the WII console. Dolphin works only on Windows and it still have some big incompatibility problems on "drivers" ".NET" and so forth... But if you're lucky and if the forum's folks want help you you'll get a great wii console on your mobile laptop.

Monday, December 22, 2008

iPhone 3G Unlocked !

Finally, Dev-Team guys hacked the iPhone 3G baseband !
Too much time we have wait, but while we were looking at new iPhone Applications some one was working hard to break into baseband.






This is amazing ... ... Thank you guys !

Friday, December 19, 2008

ClickJacking ?

I really don't like the numerous names that people like to invent.
Is this "ClickJacking" ?



Well, in my opinion it's a simple code injection. I think more name you give at the same concept more confusion you make over the concept.

Thursday, December 18, 2008

Stanford On iPhone

Often university's courses are focalized on theory and most of the time they don't show practical things blaming time . Stanford University understood that practice is important as much as theory and comes out with an iPhone developer class.
I think this is a great idea, iPhone is one of the most important devices of these years, maybe of this decade, most companies know iPhone and most companies are looking for a good developer. Offering the possibility to learn useful practical skills in a university class, seems to be a really smart idea.
Here the class link. Here slides and all utilities. Don't forget to visit the student applications

Tuesday, December 9, 2008

How iPhone's Touch Screen Works

Sometime, usually when I find time,I like to look inside components and parts just to understand how something is working.
Today I found this great article on how the iPhone touch screen works.





The iPhone's screen detects touch through one of two methods: Mutual capacitance or self capacitance. In mutual capacitance, the capacitive circuitry requires two distinct layers of material. One houses driving lines, which carry current, and other houses sensing lines, which detect the current at nodes. Self capacitance uses one layer of individual electrodes connected with capacitance-sensing circuitry.

Both of these possible setups send touch data as electrical impulses.






Here's what happens:

Signals travel from the touch screen to the processor as electrical impulses.
The processor uses software to analyze the data and determine the features of each touch. This includes size, shape and location of the affected area on the screen. If necessary, the processor arranges touches with similar features into groups. If you move your finger, the processor calculates the difference between the starting point and ending point of your touch.
The processor uses its gesture-interpretation software to determine which gesture you made. It combines your physical movement with information about which application you were using and what the application was doing when you touched the screen.
The processor relays your instructions to the program in use. If necessary, it also sends commands to the iPhone's screen and other hardware. If the raw data doesn't match any applicable gestures or commands, the iPhone disregards it as an extraneous touch.
All these steps happen in an instant -- you see changes in the screen based on your input almost instantly. This process allows you to access and use all of the iPhone's applications with your fingers.

Friday, December 5, 2008

Apple suggestion: get an AV !

Yup, also Apple suggests a good AntiVirus :(. Is the end of a myth ?
I dunno but if you want be safe I suggest ClamXAv the front-end of ClamAV





ClamXav is a free virus checker for Mac OS X. It uses the tried, tested and very popular ClamAV open source antivirus engine as a back end.

Back in the days before OS X, the number of viruses which attacked Macintosh users totalled somewhere between about 60 and 80. Today, the number of viruses actively attacking OS X users is...NONE! However, this doesn't mean we should get complacent about checking incoming email attachments or web downloads, for two reasons. Firstly, there's no guarantee that we Mac users will continue to enjoy the status quo, but more importantly, the majority of the computing world use machines running MS Windows, for which an enormous quantity of viruses exist, so we must be vigilant in checking the files we pass on to our friends and colleagues etc. For example, if you're a wise person and you've turned MS Office's macro support off then you're not going to notice that virus which is hiding inside this month's edition of Extreme Ironing.doc which your friend sent you. If you then forward that document to a less wise person who has not turned off the macro support, then you have most likely just sent him a shiny new Pandora's Box with a sign saying "Open this end"!

Flippancy aside, I'm sure you get the idea: check the file before opening and/or sending it on to someone else. This gives you the opportunity to avoid the file altogether or at least copy and paste any vital information into a new document and send that instead.

Don't forget, if you run VirtualPC you can still become infected and lose valuable data on your Mac even though technically you're running Windows inside a sandbox. VPC will run any application you tell it to, virus or no virus, it doesn't know the difference. You can protect yourself slightly by not using VPC's "shared folders", but that's a useful feature which you shouldn't have to be without.





********** UPDATE ***********


Seems that Apple is a little bit confused: read this article: Apple deletes Mac Antivirus Suggestion !


*******************************

Monday, December 1, 2008

Thursday, November 27, 2008

Attackers shoot to WireShark.

Every application might be vulnerable, and this is a really old concept. Nothing new, but reading that someone discovered an DoS attack to WireShark, one of the most used packet analyzer, makes me strange.
I frequently use it, during my university classes, during my external courses and also during company working time, but never I thought that it could be a potential whole in my system. That's, to me, it's a great example of what I call "Bar Security".
Following the original post:


On Nov 2008, Security Vulnerability Research Team of Bkis (SVRT-Bkis) has
detected a vulnerability underlying WireShark 1.0.4 (lastest version).

The flaw is in the function processing SMTP protocol and enables hacker to
perform a DoS attack by sending a SMTP request with large content to port
25. The application then enter a large loop and cannot do anything else.

We have contacted the vendor of Wireshark. They fixed this vulnerability for
Wireshark 1.0.5 but they haven't released the official version yet. Details
is here : http://wiki.wireshark.org/Development/Roadmap

SVRT Advisory : SVRT-04-08
Initial vendor notification : 11-14-2008
Release Date : 11-22-2008
Update Date : 11-22-2008
Discovered by : SVRT-Bkis
Security Rating : Less Critical
Impact : DoS
Affected Software :Wireshark 1.0.4 (prev is vulnerable)

2. Solution

Althrough the official version for this vulnerability hasn't been released
yet, the vendor has updated the fix in the prerelease Wireshark 1.0.5.

Download the prerelease version of Wireshark 1.0.5 here:
http://www.wireshark.org/download/prerelease/



Thank you guys for this interesting contribute that you've done proving that nothing is actually safe.

Friday, November 21, 2008

History.

This is History, Good Job President Obama !

Sunday, November 16, 2008

DDoS attacks threaten ISP infrastructure

The important report " WorldWide Security Report" released Tuesday, was based on how 70 lead security engineers responded to 90 questions. These the results:




It's impressive knowing DDOS attacks are increasing year by year. A DDOS attack assume that in your networks are present many zombies which means lots of opened vulnerabilities.

Futureland Plants.

Thanks to Flikr:




An amazing futuristic "flower".

Monday, November 10, 2008

The Coolest IT Security Jobs

Directly from GCN the first 10 positions on "Coolest Security Job", I like them:


1. Information security crime investigator/forensics expert
2. System, network and/or Web penetration tester
3. Forensics analyst
4 (tie). Incident response, incident handler
4 (tie). Security architect
6. Vulnerability researcher
7 (tie). Network security engineer
10 (tie). CISO/ISO or director of sec
10 (tie). Application penetration tester


Why it’s cool: “You’re an 'ethical hacker'. “It takes equal parts technical ability and creativity,” “Combines applying different thought processes to system analysis with exploration tools, and a sort of dangerous level of knowledge.”

Monday, November 3, 2008

Doom9 Break BD+

Hey guys, do you remember that BD+, the Blue-ray copy protection system, should be safe at least 10 years ? Well actually it's very wrong ! Some Doom9 hacker/s have discovered the BD+ "gap" in this post .

Here the main sections (thanks to Oopho2ei user) :







Thank you guys, this is an amazing project !

Tuesday, October 28, 2008

Find The Gap.

Well, this picture is quite embarrassing :



You might think everybody knows what the iPhone is and how to put it in the right way, but nope, you're wrong.
At least it's funny to see that.

Monday, October 27, 2008

SU.bash a funny "rootkit".

Hi Folks, today surfing on the web I've found this really funny "su-rootkit".
It's a kind of rootkit, in fact it doesn't replace the real su binary but it's a simple bash script which might be used in home directory.





Thanks to super .

Friday, October 24, 2008

Out-of-band patch from Microsoft

From Microsoft Security Bulletin MS08-067 :


Microsoft has released an emergency security update for a broad swath of its users that patches a critical security hole that is already being exploited in the wild.

The vulnerability - which has been subjected to “limited, targeted attacks” - could allow miscreants to create wormable exploits that remotely execute malicious code on vulnerable machines, Microsoft said. No interaction is required from the end user. It was the first patch released outside Microsoft’s regular update cycle in 18 months.

“This is a remote code execution vulnerability,” Microsoft’s out-of-band advisory warned. “An attacker who successfully exploited this vulnerability could take complete control of an affected system remotely.”


As you may read from the following picture lots ( ... ) of Windows distributions are affected:



Little bit more in detail:

On Vista and Windows Server 2008, the combination of Address Space Layout Randomization (ASLR) and Data Execution Protection (DEP ) will make the exploitation of this vulnerability more difficult. ASLR will randomize the base address of modules, heaps, stacks, PEB, TEBs, etc. making difficult the return into known locations. Known DEP bypass techniques will not be applicable on these platforms because of the presence of ASLR.

Regarding /GS protection, the stack frame of the function that contained the overflowed buffer was protected with a stack frame boundary cookie. However, due to the nature of this particular vulnerability, the exploit code is able to take advantage of another stack frame that was not meant to be protected by the /GS security cookie. The /GS security cookie is only emitted for functions meeting certain criteria.

F-Secure has already caught the malwares which use this kind of hole, it classified them as Trojan-Spy:W32/Gimmiv.A, with the following features:



On execution, the malware drops a DLL component ( which is also detected as Trojan-Spy:W32/Gimmiv.A ) as

[System Folder]\wbem\sysmgr.dll

and injects it to svchost.exe. The main executable file will then delete itself.

As part of its routine for connecting to a remote server, the trojan will take into account both the operating system version and the presence of any security applications in the system. The trojan checks for the following antivirus programs:

BitDefender
avp.exe
Jiangmin
KasperskyLab
Kingsoft
Symantec
OneCare Protection
Rising
TrendMicro
dwm.exe

The trojan then connects to:

http://59.106.145.58/[...].php?abc=1?def=2

The two parameters 'abc=' and 'def=' are determined by the antivirus program and the operating system version, respectively. For example, if avp.exe is installed on an infected machine that runs Windows XP, then abc=1 and def=2.

The trojan then harvests the following information from the infected machine:

MSN Credentials
Outlook Express Credentials
Protected Storage Information
Username
ComputerName
Patches Installed
Browser Information
Username (web browsing)
Password
URL

The harvested information is encrypted using Advanced Encryption Standard (AES) and is sent to the remote server.


This time the upgrade is strongly required !

Monday, October 20, 2008

Grabbing The Web

Hi folks, today I was seeking something able to grab pieces of web.
I'm building a kind of spam-message-compositor for one research of mine, and what I found is pretty much interesting.
It's called Web-Harvest, and of course it does much than a simple grab, but for my purpose is more than enough.

Web-Harvest is Open Source Web Data Extraction tool written in Java. It offers a way to collect desired Web pages and extract useful data from them. In order to do that, it leverages well established techniques and technologies for text/xml manipulation such as XSLT, XQuery and Regular Expressions. Web-Harvest mainly focuses on HTML/XML based web sites which still make vast majority of the Web content. On the other hand, it could be easily supplemented by custom Java libraries in order to augment its extraction capabilities.

Process of extracting data from Web pages is also referred as Web Scraping or Web Data Mining. World Wide Web, as the largest database, often contains various data that we would like to consume for our needs. The problem is that this data is in most cases mixed together with formatting code - that way making human-friendly, but not machine-friendly content. Doing manual copy-paste is error prone, tedious and sometimes even impossible. Web software designers usually discuss how to make clean separation between content and style, using various frameworks and design patterns in order to achieve that. Anyway, some kind of merge occurs usually at the server side, so that the bunch of HTML is delivered to the web client.



Every Web site and every Web page is composed using some logic. It is therefore needed to describe reverse process - how to fetch desired data from the mixed content. Every extraction procedure in Web-Harvest is user-defined through XML-based configuration files. Each configuration file describes sequence of processors executing some common task in order to accomplish the final goal. Processors execute in the form of pipeline. Thus, the output of one processor execution is input to another one. This can be best explained using the simple configuration fragment:



When Web-Harvest executes this part of configuration, the following steps occur:

http processor downloads content from the specified URL.
html-to-xml processor cleans up that HTML producing XHTML content.
xpath processor searches specific links in XHTML from previous step giving URL sequence as a result.
Web-Harvest supports a set of useful processors for variable manipulation, conditional branching, looping, functions, file operations, HTML and XML processing, exception handling. See User manual for technical description of provided processors.



Friday, October 17, 2008

Linkedin "space"

Finally after some requests I decided to open a LinkedIN "space" .

I like very much this web tool and I'll be really glad if you wanna add my contact in your network. So, if you're a reader of this blog and if you got a linkedIN account please feel free to add me in your contacts.
Thank you folks !

Wednesday, October 15, 2008

Fruux: Free MobileME

Hi folks, 
today I tried Fruux, a valid alternative of MobileME; very intuitive and fast. It's still a beta-release but it already appears very powerful and trustable. Actually the Fruux community is working on iPhone Application, so far is not available but it's seems forthcoming  !!






Tuesday, October 7, 2008

Safari on iPhone: still vulnerable.

Safari does it again and again. Don't forget that the first iPhone jailbreak has been made thanks to a known Safari bug. And today safari has another security problem. I reported this kind of bug some time ago in this post saying to apple to watch out to the "applications's space". They said to me: "thank you man ! " .... and nothing more ....
Here we go, Safari on iPhone doesn't care about spacing and graphic; these are the results :





No conclusions for that, just pay attention to what you're opening on your smart iPhone.
Read More: here 

Thursday, October 2, 2008

Nice Javascript Function on Firefox

Hi folks, today I've found a new (for me) firefox function : Find().
I've used this function in a "hand made" web site where a button "Find" would find a word inside a big list. My bad, I pressed two times the button and two windows appeared. That's interesting.... So what happen if I call multiple find() functions directly from code ?



Firefox will load multiple find's windows, of course, kind of cool !
So what happen if you try to load thousands of find windows ?
Does firefox die or all your PC will die ?





My Mac did ! :(

Thursday, September 25, 2008

Restroom.

Hey folks, about two or three days ago, I went to the RestRoom in the second floor (where my office is) and this is what I found in front of me.




As you might suppose in my University lots of people like MAC and Ubuntu, this is the vent of years of Microsoft contracts :)

Tuesday, September 23, 2008

Obfuscate Hello World ! (Funny)

Around the web you may find this funny code, don't worry it's not the Internet bug :), it's a simple well-obfuscate "Hello World" .
Very nice to show out !

#include
#define _ 1
#define __ +
#define ___ (
#define ____ )
#define _____ main
#define ______ {
#define _______ }
#define ________ putchar
#define _________ ;
_____ ___ ____ ______
________ ___ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __
_ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __
_ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __
_ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __
_ __ _ __ _ __ _ __ _ __ _ __ _ ____ _________ ________ ___ _ __ _ __ _ __ _ __ _
__ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _
__ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _
__ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _
__ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _
__ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _
__ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ ____ _________ ________ ___ _
__ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _
__ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _
__ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _
__ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _
__ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _
__ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _
__ _ __ _ __ _ __ _ __ _ ____ _________ ________ ___ _ __ _ __ _ __ _ __ _ __ _ __
_ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __
_ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __
_ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __
_ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __
_ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __
_ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _
____ _________ ________ ___ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __
_ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __
_ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __
_ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __
_ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __
_ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __
_ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _
____ _________ ________ ___ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __
_ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __
_ __ _ __ _ __ _ ____ _________ ________ ___ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _
__ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _
__ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _
__ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _
__ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _
__ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ ____ _________ ________ ___ _
__ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _
__ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _
__ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _
__ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _
__ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _
__ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _
__ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ ____ _________ ________ ___ _ __ _ __ _ __
_ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __
_ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __
_ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __
_ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __
_ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __
_ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __
_ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ ____ _________ ________ ___ _ __ _ __ _
__ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _
__ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _
__ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _
__ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _
__ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _
__ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _
__ _ __ _ __ _ ____ _________ ________ ___ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __
_ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __
_ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __
_ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __
_ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __
_ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __
_ __ _ __ _ __ _ __ _ __ _ __ _ ____ _________ _______

Monday, September 22, 2008

Web Application Security Statistics

A very nice work powered by Web Application Security Consortium shows the most relevant security flaws in the web applications in 2007.



The goals of this study are very explicit:
1) Identify the prevalence and probability of different vulnerability classes
2) Compare testing methodologies against what types of vulnerabilities they are likely to identify.
The methodology and the results have been explained/shown here. Really nothing to say about it, just take a look to the above graph; still programmer's mistakes are relevant in 2007.

Friday, September 19, 2008

"Get a PC" :)

Hey folks look at that.



To me ?
This is the proof that Microsoft is ever in late.

Wednesday, September 17, 2008

iPhone GPRS-EDGE Modem

I know, lots of iPhone's news came out. Today I wont write about this repetitive news (New iPhone firmware, new PWNG tool, new cracked applications and so forth...) I wanna point out a very interesting work called iPhoneModem. During these days, some people mailed me asking why iPhone cannot be use as a modem. I dunno. I've never tried to use the iPhone as a modem, fortunately I got wifi access in my office and in my home, so I don't need GPRS/Edge connection during the way from home to office and vice versa.



Anyway, I've looked around and the only stuff I founded was "iPhone Tethering Kit" which is a good framework but it takes too much time to be operative. So after some other google research I've founded iPhone Modem that, it's not new works great. AppStore doesn't want it. Again, I dunno why, but this project is still alive and works fine. 
So, moral of the story: Do you need an iPhone Modem ? Try iPhoneModem application I 'm sure you'll be happy ! :)

Thursday, September 11, 2008

40 line IRC client.

Hi folks, today I wanna point out this awesome IRC client written in 40 raws shell code. It's wonderful, fast, minimal and so useful !
The Author wrote:

So I wrote my own IRC client in shell. The output is a little ugly, and
there's no line editing or multiple window support, but otherwise it's just like any other IRC client to use. Almost.


The code:



Monday, September 8, 2008

Security on eVonting

Thank to Marco Prandini I discovered this interesting paper. Just some sentences from the website :


Until now, it's been easy to dismiss cryptographic voting systems as academic exercises, but the fact that the new system is designed to work with optical scanning gives Chaum hope that it will catch on. "We're ready," he says. "There's no risk. If you add it on, it doesn't interfere with what you had, and if there's a problem with it, you can just ignore it."



How it works:
 

I'm very skeptical about that. The history taught us that nothing is safe and nothing is secure, I really think these words are too strong and maybe a "garden path" to the failure. For instance, what happens if the invisible code for BO on the ballot is "KQ" but then, after you vote KQ, the ballot posted on the web site is scored for JohnMc, but with the correct code KQ ? Again, what happens if the print fails to write the " hidden code" believing to write the correct one ? Again what happens if the counting machines counts whatever it wants chiseling about real code associations ?
Some researchers are working on it, it's still an open discussion on our research field, so actually we cannot say that exist an total secure way to vote, we need ever some basic assumptions which, maybe, could be false. Please don't believe to the "perfect secure and untouchable" voting machine, it's still a good dream. 

Some more Interesting reading:

Monday, September 1, 2008

Android and "AppStore"

It seems like "AppStore" (by Apple) but it's really the alternative Android Application "repository".



The news from MelaBlog says that also Android, like the antagonist iPhone, will have a nice installation tool opened to 3-party applications, called GoogleMarked. At the beginning, each application will be available for free, but MelaBlog says, it will be possible to find commercial contents in early future.
Moreover some blogs [1, 2, 3] say that AppStore and GoogleMarket will share functionality and applications. However the "AppStore" applications got a different license from "GoogleMarket" so it seems mandatory building different versions of applications.

Saturday, August 30, 2008

iPhone QuickPWN for Mac Released.

I know, everybody is speaking about new QuickPWN for MAC.
It's a light version of PWNTool, which makes an easy and quick pownage. It doesn't build a customized firmware, it doesn't break into the bundle; it's just a "pownage action" :)



So, why lots of people are flatting this tool ? I really don't understand that. Anyway, it's very cool, It looks very nice and it's very intuitive. So, I've also written about that :) .... Good Job guys !

Friday, August 29, 2008

How to break into a PIN locked iPhone

I know, it's not more a news, but in these days I'm quite busy. Sorry for that.
Anyway the new iPhone Firmware has a very huge bug which allows you to get access to a PIN locked device.
If you wanna try it, just follow this attack vector:




I would have never believed that Apple has these kind of buggy problems. Probably they need a security engineer :) ... and probably they know it.

Tuesday, August 26, 2008

Magic SysRQ key

Hi Folks, it's the first time that I see this kind of stuff : magic SysRQ Key .
It provides a way to send commands directly to the kernel through the /proc filesystem.


Quoted:
It is a 'magical' key combo you can hit which the kernel will respond to
regardless of whatever else it is doing, unless it is completely locked up.




It is enabled via a kernel compile time option, CONFIG_MAGIC_SYSRQ, which seems to be standard on most distributions.
So if you're administrating a remote server and suddenly it doesn't respond to commands, like for example :



you need a "magic command".
So, first you must activate the magic SysRq option:



And then you may reboot your system in such way:



Isn't it really cool ?
If you wanna learn more about magic SysRq you can read the sysrq.txt file in the kernel documentation.

UPGRADE:
of course if you wanna start it during the boot using sysctl you can by typing:

Sunday, August 24, 2008

Race condition or Antivirus ?

Hi folks,
What happens if on your voting machine is running an AV ? Maybe it will disturb your election like they say or maybe having an AV is a good ting but your voting system is logically bugged and the problem is still deep.


Joe Hall has the details. Check it here. The Premier reports aren't that clear. Here's the "technical background".
The GEMS poster works by receiving concurrent uploads from the memory cards and then saving that data in temporary files for posting to the election databse in a serialized manner, i.e. one at a time. This design is used to optimize the database access performance as well as the upload data performance.
The issue identified is a logic error that allows the poster to attempt to post a file that is still being received when two or more files are received in sequence, and the first file takes longer to save than the second file. If a sharing violation occures, the posting of the first file is the one affected. Note that files typically take very few milliseconds to save, whereas large files, with large number of votes, can take up to 100 milliseconds.


So it seems a common problem of race condition in concurrent distributed system. It's worth asking if there are ways where the file would be marked successfully uploaded but the votes get lost ??

Wednesday, August 20, 2008

iPhone Hacking Applications.

Hello everybody.
I'm sorry if I am quite slow to upgrade my blog, but during these days I focalized my research on iPhone Applications Hacking.
It seems very difficult but the reality is much different. Well, I don't want to write a post on that, I just wanna analyze what's happening on iPhone field.
Well folks, at the beginning the underground community was interested to have a "Free iPhone", that's means an unlocked and jailbroken iPhone. An iPhone where you can install 3-rd part applications and where you can use your favorite provider. Now everybody knows that is very easy to obtain a "Free iPhone"..... (well actually, it's not true for the iPhone 3G).. and lots of "underground people" (not necessary hackers/crackers) focalize own attention on Applications. Yep, not much people are still working on iPhone unlocking and iPhone Jailbreaking, the last trend is the Applications' Cracking.



I know, iPhone applications cost not more than $10, so it seems to make no sense try to crack them ! Cracking an iPhone Application takes 30 minutes if you're expert, so it's not so convenient crack them ! It is much more expensive 30 minutes of expert hacker time ! But you know, who's an hacker doesn't care about that, the only think in his mind is "hack the world".
Anyway, this is the actual iPhone trend; what will be the next one ? Maybe building own applications ?

Wednesday, August 13, 2008

Holler Back: [NOT] Voting in an American Town

Lulu, was in UCDavis this winter doing some filming. I know, that's so cool ! Unfortunately I've not seen her but Matt Bishop Yes ! She did some filming inside his class this winter and was really exiting. Anyway, this is the link of her work: [NOT] Voting in an American Town. The study shows some interesting things, like for example the 10 reasons why americans don't participate in Elections.



So, she says about that :
1) There's a lack in CONNECTION
2) Connection is created through INFORMATION & EDUCATION
3) Education & Information can be provided by the media (unfortunately..) THE MEDIA IS OFTEN BIASED & FOCUSED ON TRIVIA
4) And, of course, it takes TIME
5) To find accurate, comprehensive sources of information. Everyone knows that time is .... MONEY
6) Which may people feel controls politics and leads to .... DISHONESTY
7) Uninformed, disenchanted voters tune out ant turn to ... DISTRACTIONS.
8) They don't feel motivate to make an effort. On top of this.. THE VOTER REGISTRATION SYSTEM IS A CONFUSING OBSTACLE COURSE
9) Run by partisan selected officials who discuss the issue of .. NEGATIVE TONE
10 ) Who control and implement UNRELIABLE VOTING EQUIPMENT

That's not all, if you follow the reading on the official site you'll find other interesting stuff, like for example: the 4 reasons american still participate in an election, and the 10 step toward election reform.

Monday, August 11, 2008

IntelliScreen: Cracking

Thank to Crash-X, who founded time to crack one of the most amazing iPhone Application, we actually got a free IntelliScreen (by IntelliBorn). Of course you need a jailbroken iPhone and an Internet connection. The steps to crack IntelliScreen are really easy ! First of all you need to install it from Cydia, so open Cydia press the search button, type the word "intelliscreen", tap on it and install the application. After that you need to download the crack from here, open the zip file and replace the two files into "Crack folder" on the right places. Just a command line example:

scp Crack/IntelliScreenConfig root@:/Applications/IntelliScreen.app/IntelliScreenConfig
scp Crack/intelliScreen root@:/Library/Intelliborn/intelliScreen




That's all. You only need to download the "Demo license" when the application asks you and nothing more !
So, what else ! Thank you Crash-X !

Monday, August 4, 2008

Finally: Installer 4.0 works !

Nothing to report so far, I'm going to be on vacation for next 2 weeks :).
But, this news is so cool, so I've took my iPhone and I'm trying to write my first post from it.
So finally Installer 4.0 works properly on Iphone 2.0




Via ispazio

Monday, July 28, 2008

iPhone:Little bit More On SpringBoard

Everybody knows that there's no SummerBoard nor Customize for Firmware 2.0 yet.
So, what we need to do if we wanna change some graphics on our iPhone, while we're waiting for SummerBoard?
Firs of all connect to your iPhone via ssh and surf in

/System/Library/CoreServices/SpringBoard.app

Here you find all the basic graphics that you would change. Following an example of different "Battery" charge icons.



So it's very easy, just replace the .png images in this folder. There's more. If you wanna change the default messages shown by iphone inside the blue cartoons; move into your language folder (like for example English.lproj) and edit your favorite strings inside SpringBoard.strings and USSD.strings . That's all !

Thursday, July 24, 2008

Hackers start to target Apple Macs

Just read this Times online paper by Bernhard Warner




... worryingly ...

Tuesday, July 22, 2008

Fixing EDGE/3G/DT on iPhone 3G

Yes folks, I've pwned my iPhone again (for research.. of course) and now I got an iPhone 1generation with firmware 2.0 w/out Installer.app. After the easy way to jailbreak it, I've seen edge connection never goes down, and you know EDGE is pretty much expensive. So, how can we switch off the edge connection ? The first step was to search into

/System/Library/Carrier Bundles

Were you find all the carriers' directories. For instance inside the TIM_Italy.boundle there's interesting stuff like, for example:

Default_CARRIER_TIM.png FSO_CARRIER_TIM.png, Info.plist, ResourceRules.plist, carrier.plist version.plist .

So, the first thing that I've done was to rewrite the carrier.plist replacing the string apnXusernameXpassword with something fake. Nothing really happened . So, I tried by editing the personal configurations preferences present inside:
/var/preferences/SystemConfiguration/preferences.plist
typing vi /var/preferences/SystemConfiguration/preferences.plist . Now, searching the string apn (/apn) I've found two different places where it's possible edit it !

The first one :




The second one:



I changed the default value af APN string from "1" to "0", blocking the Edge access by default. So far I'm not sure which is the default "apn-key" and which is the user "apn-key", so I've just replaced both . It's working well !!

Enjoy the tip.