Friday, June 25, 2010

iPhone Hides Geo Location into Images

Probably the word "Hide" is not completely correct since iPhone asks you to enable GeoLocator for each application.But How many times we use GMAPS or a navigation system to find places around us ? I do a lot . For this simple reason my GeoLocator is always switched on, but I am pretty sure that tons of people out of here forget it "on" even if they don't use GPS or GMAPs. Anyway, I've just realized that GeoLocator embeds GPS coordinates into your images and not in separate file/format... What does it mean ? Plenty of online pictures hide their geo location ! This is pretty scary under my view.

One of the best application for IMAGE forensic is called Exif Viewer and is reachable here. This tool enables the user to watch most of the information encoded into images, such as GPS location !




Here a full example of what I mean (click the following image to magnify it).



Pretty impressive right ?
Please watch out to your geolocation option whatever SMART-phone you got or everybody will know where you were forever.
We are moving again, from where we are, aka everybody know what we are doing (Facebook and Twitter) to a new even more interactive world where the mass will know what we are doing, what we are seeing and where we are. Well .... not scary at all ??

Tuesday, June 22, 2010

Drive: The surprising truth about what motivates us

Really,
I have never seen a presentation amazing like the following one in both content and terms of presentation

Friday, June 18, 2010

Reputation Analysis


Urlvoid (beta version at the moment) is a free service that scan suspicious websites with multi engines to check if the site is safe to browse. In URLvoid concept the safety is given also by the reputation of the web site, in fact it does use AV engines and Reputation engines. Here the engines it uses so far: McAfee SiteAdvisor, McAfee Trusted Source, PcTools Browser Defender, Norton SafeWeb, MyWOT, Threat Log, MalwareDomainList, hpHosts, ZeuS Tracker, Google Diagnostic, PhishTank, Project Honey Pot, ParetoLogic, Spamhaus, URIBL, Malware Patrol, SURBL, SpamCop, TrendMicro Web Reputation, Web Security Guard.

So what does it think to my blog ?
SUSPICIOUS ... Of course ! Nah.... really ? NovirusThanks, probably one of the most used right now, thinks that my blog is totally safe.

But as you can see from the image it did 16 checks against the 19 of URLVoid. So what is the weird check which makes trigger AV on my blog ?

MyWOT reputation engine believes that my site is suspicious, so not really safe. Interesting.. So why does it believe that ?.... If you try to analyze my blog with MyWOT you will find a very interesting thing, marcoramilli.blogspot.com has one of the highest score in trustworthiness, but it is below the average on the following categories:
  1. Vendor Reliability (53)
  2. Privacy (54)
  3. Child Safety (42)
Now, I cannot have the point (1) since I am not a vendor and you wont buy anything from this blog ... (54 points ? who give me those points ?). Point 2 what does it mean privacy ? That I write about privacy ? that I theft your privacy ? That I wanna privacy ? Anyway I got 54 points... And Child Safety, this makes me laugh :D. So what does this means 42 points ? Let's say that pornography is 100 (even if pornography does not matter with safety, at least with "bad education".. but anyway.. they use this practical categorization...) I got 42, so my site is close enough to be half porno blog, right? Which means that half posts are on pornography ....humm..... But it is one of the best in trustworthiness ... well that's cool ! I didn't know to write so spicy posts :D :D .

Anyway, pay attention to evaluate your URL with these toys and to buy this kind of services. Before doing that, you have to keep in mind that Virus and Malware, once discovered, are pretty easy to detect. But the reputation of a web site is still a great and huge Research topic, probably still far from a good and usable product.

Thursday, June 10, 2010

New Jersey: Uncontrolled Voting Machines

I really cannot figure out a worst situation than this one.

It's Election Day in New Jersey. Longtime readers know that in advance of elections I visit polling places in Princeton, looking for voting machines left unattended, where they are vulnerable to tampering. In the past I have always found unattended machines in multiple polling places.

I hoped this time would be different, given that Judge Feinberg, in her ruling on the New Jersey voting machine case, urged the state not to leave voting machines unattended in public.

Despite the judge's ruling, I found voting machines unattended in three of the four Princeton polling places I visited on Sunday and Monday. Here are my photos from three polling places.





Sunday, June 6, 2010

Perl Binary Scanner: looking for environment variables

Hi folks, today I run into the following pretty awesome perl script which checks a binary file for environment variables. As many of you know one of the most common mistakes in writing code is to trust to environment variables, which might be modified by external users. Don't you get that ? So let's assume the following example: "A" uses the environment variable called "Path to X" to run the "X" program. The "X" program is supposed to perform a simple "O" operation running with the same rights of "A". An attacker who knows that "A" uses "Path to X" for running "X" can modify the variable "Path to X" to "Path to Fake X" which performs a different operation " O' ". Here we are ! So the following script is a pretty simple and minimalist one but it does the job.



#!/usr/bin/perl

# syntax: ./getenv.pl .


# (1/4): return values to ignore.

$skip="TTOU TTIN TSTP STOP CONT CHLD STKFLT ALRM PIPE USR2 SEGV USR1 KILL FPE BUS IOT ABRT TRAP ILL QUIT INT HUP _DYNAMIC _GLOBAL_OFFSET_TABLE_ --";

# (2/4): script signals.

$SIG{'INT'}=\&dataexit;

$SIG{'TSTP'}=\&dataexit;

# (3/4): script routines.

sub out{print STDERR"[*] @_";}

sub outr{print STDERR"@_";}

sub outq{print STDERR"[!] @_";exit(-1);}

sub isvalid{$char=substr(shift,0,1);if(ord($char)>64&&ord($char)<91||ord($char)>47&&ord($char)<58||ord($char)==45||ord($char)==95){return(1);}return(0);}

sub readbinary{

out("$0(3): getenv() binary scanner, by: vade79[v9\@fakehalo.org].\n");

open(BINARY,shift)||outq("could not open binary.\n");out("opened binary successfully.\n");

@read=;close(BINARY);$i=0;$tokens=@read;out("scanning binary($tokens): ");while($read[$i]){

@tmpread=split(chr(0),$read[$i]);$tokens=@tmpread;$j=-1;while($j<$tokens){

$j++;$k=0;while(isvalid(substr($tmpread[$j],$k,1))&&length($tmpread[$j])>1){

if($k+1==length($tmpread[$j])){

$m=0;@s=split(/ /,$skip);$l=0;while($s[$l]){if($s[$l]eq$tmpread[$j]){$m++;}$l++;}

@s=split(/,/,$result);$l=0;while($s[$l]){if($s[$l]eq$tmpread[$j]||$s[$l]eq" $tmpread[$j]"){$m++;}$l++;}

if(!$m&&substr($tmpread[$j],0,3)ne"SIG"&&substr($tmpread[$j],0,2)ne"__"&&substr($tmpread[$j],length($tmpread[$j])-2,2)ne"__"){

if(!$result){$result=$tmpread[$j];}

else{$result="$result, $tmpread[$j]";}

}

}

$k++;

}

}

$i++;outr(".");

}

outr("done!\n");

}

sub data{

if($result){out("typical getenv() possibilities: $result.\n");}

else{out("no typical getenv() possibilities found.\n");}

}

sub dataexit{outr("cut!\n");data;outq("cut run, finished.\n");}

# (4/4): script init.

if(!$ARGV[0]){outq("syntax: $0 \n");}

if(!-f$ARGV[0]){outq("error, binary not found.\n");}

readbinary($ARGV[0]);data;out("clean run, finished.\n");exit(0);



BTW, yes of course it also does search for getenv() checking out for buffer overflows ... ;] But this is a very specific one. :]

Saturday, June 5, 2010

Yet moving time.

After a perfect memorial weekend in San Diego, I've been busy with some working projects which are going to be concluded by the end of the month. I am writing a couple of papers for IEEE conferences and two more articles for IEEE magazines which keeps me busy till the end of the next week. So basically this is the main reason because my blog has been "silent" for some weeks. After this busy ongoing week it will be time, for me, to pack everything again and move back to Europe for some unpredictable time.

For all the companies that are working with me (requesting penetration testing), even if they've never seen me, don't worry everything will be like the same, you will not feel my movements. Let's do like we always done, I'll check emails at least 3 per day. ;]

Said that, I will try to write some "post" more frequently than what I did in the past few weeks.





BTW, San Diego is a very pretty city. Probably one of my top 10 places to live ... this means I'll back ! ;)