Wednesday, February 27, 2008

Firmware 1.1.4

Yes, after the 1.1.3 OBT jailbreak, the iPhone hacker community has just release the new version of independence ; able to jailbreak the 1.1.4. As usually, independence doesn't unlock your iPhone but it 'just' jailbreaks, actives, provides a SSH installation, and such more personalization.

But that's not all !! iPhone Dev Team has realized an amazing YouTube Video (following), with a new customized Firmware. Are there some folks who remember the Humax 540(z) Hacking ? At the beginning few and poor patches to apply to the official firmware... after that new firmware !! It's amazing.

May we'll be able to install our own firmware on this device ?
To me, this is the first step to an alternative apple iPhone Operative System.

Friday, February 22, 2008

Cold Boot Attacks on Encryption Keys

Thanks to Ann, I discovered this amazing attack.

From Princeton Information Technology Policy group:

Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at operating temperatures and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images. We show that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access. We use cold reboots to mount attacks on popular disk encryption systems — BitLocker, FileVault, dm-crypt, and TrueCrypt — using no special devices or materials. We experimentally characterize the extent and predictability of memory remanence and report that remanence times can be increased dramatically with simple techniques. We offer new algorithms for finding cryptographic keys in memory images and for correcting errors caused by bit decay. Though we discuss several strategies for partially mitigating these risks, we know of no simple remedy that would eliminate them.

This is one of the coolest hack that I've ever seen.Moreover It's really easy to verify the behavior, let me try with this easy example. First of all let me see what I got in the memory:

Ok, there're are lots of interesting things... but who cares about these ?? :). Let me try to refill the memory with a well known string: for instance let me use the word "HACK". Refilling the memory is quite easy with an auto-sized buffered language as python or perl, for example we can use the easy python suggested script :

a = ""
while 1: a += "HACK"

After fews minutes the computer starts to swap the memory into HD; it's time to stop it (^C). Here we are, after a fast reboot
typing for the second time :

What I've founded ?

I don't wanna comment this result . It's self explicated.

Wednesday, February 20, 2008

Browser Testing

Hi Folks, today surfing on the net I found this interesting site.
How many time did you need to test your web page on different browsers because, you know, the compatibility is often different ? Well, with service all your testing phase will be turn easier.  Thank you guys.

Sunday, February 10, 2008

Discovering Potential Vulnerabilities on Safari.

Hi folks, this morning following the example of an old way to phishing browsers, (under link manipulation) I've found a Safari leak. Let me try, before, with an easy example of unaware link redirection and then we'll try to discuss how this bug becomes vulnerability. 
Well, our main target is to grab accesses to bank account (?), gmail (?), whatever you want. The first step, as usually, is building a clone page of our target with a malicious code inside. Second step, redirect people on this malicious site. The technique is always the same:


Here the exact example on last safari browser:

As you see in the next figure, safari opened the page asking nothing, no warnings and no exceptions ( doesn't ask username !) Safari opened it and nothing more.

Right now, it could seem quite normal, maybe you're thinking "I can see the URI bar, so I know where I am !". Well actually, I'm not so sure that every people look inside the html code in order to verify if the link points to the exact webpage, but there's more! Just adjusting the link on the URI bar, adding some spaces and eliminating the username side, the URI will appear clear and impossible to detect by human. Let's look it ! The following image represents the phished URL before be submitted, as you can see human eyes cant figure out the difference between this URL and the original one

After the submission:

Of course, now you'll se the spaces (%20) but the URL has just been submitted. That means you are redirected on malicious website. Now, it might be clear why this is a real problem. If inside the malicious site has encoded an easy javascript able to grab your gmail cookies or whatever, you've just lost your credentials. 


The apple security team contacted me, they're very very extremely fast and nice. :P

Sean Peisert, asked me: " What about iPhone ?". That's true !! iPhone got Safari too and it's very common to use iPhone having access to bank accounts.... Anyway, the answer was, Yep..iPhone is vulnerable too.

Saturday, February 9, 2008

Asus Eee Vulnerable by default !

So far, there are too many discussions regarding iPhone 1.1.2 and 1.1.3 software unlock, for that I gonna to wait fews days before writing something on. Right now I wanna spread out this funny news. Asus Eee PC  comes out with Xandros, a debian based operative system which has a vulnerable samba server.

To me, It's a pretty funny situation... There are different security communities in the world: scientific community, professional community, hacking community and so forth. Everybody may agree with me if I say that there are tons of people who work on security and everybody work (impliedly or explicitly) to improve security. Maybe this news could be, ... in some how..., offensive for every community that work hard to improve the dam machinery's security and at the end of the day neither one company like Assus cares about that. Maybe it's again another mistake or maybe security is too much undervalued in these days.

Wednesday, February 6, 2008

How to Prevent Magic Pens ?

Sometimes happens something of really funny and you... can't do anything. 
Is it useful working hard to increase the security of electronic vote ? Today during one of our weekly meeting comes out a real story bout MAGIC pens and Electronic Voting. The story is the following one:

" During the super day, the people who have decided to vote, reach the polling place to cast theirs votes following two ways:
1) Voting through Voting Machines
2) Voting through Paper Ballots which will scanned by VM
Usually older voters prefer cast theirs own vote through classical paper ballot rather then "complicated" electronic voting machineries; for that reason they ask to the pool worker the paper and the pen. The pool worker, who is a volunteer (so, he may be "sponsored" by some political people ?? ) say to the voter:
' Here we go! This is the paper ballot, and this is the MAGIC PEN. You know, the polling worker to the voter, today thanks to these machines the privacy is the most important issue to respect, so they build this MAGIC PEN with a particular ink that only the voting machine can read. So let use it like a normal pen and then put your ballot inside this slit (Voting Machine's Scanner). The Voting Machine will read through its special sensors your vote and it'll sent your casted vote directly to the central.
The unwitting old voter will put some invisible signs on the ballot using the fake PEN and, at the end of the fake voting phase he'll try to cast his vote through the voting machine's scanner and he'll go away. The Voting Machine's scanner unable to read the paper will reject the paper, the pooling worker will refill the ballot with his favorite runner and here we are ! Another faked vote. "

In my opinion, this scenario is very interesting to analyze. First of all, every body can become poll worker, that means we cannot absolutely assume that the pool worker is a trusted entity into the complex chain of voting. Said that, I wanna point out it's pretty difficult in US arresting some one for "ignorance attempt".. :) .. So this kind of attack is possible, it's easy and it works. Let me make this question:
Is it true that improving Voting Machine's Security we can improve the voting process ??
I really don't think so. This is another easy social engineering example which bypass every security measure... Again, let me say that: at the end of the day, voting through voting machines is still not secure, everybody know Diebold and Hart cases (if not let see this picture),voting through paper ballot may be too.

So, can we ever guarantee a safe election ?

Monday, February 4, 2008

Is Your Browser ACID ?

This is an interesting site where you can test your browser compatibilities.
Of course, more your browser has been hardened more the test will fail.
Mine is only 39% .... :-(

Here the site.


Lots of useful security's (and non) PlugIns have been developed for Firefox so far. However, nowadays Firefox is one of the most INsecure web browser in the net. Every day tens of security issues and/or bugs come over. Personally I prefer "new" Safari because faster and extremely secure. But why people are still using Firefox ? To me, the answer is: "Firefox has lots of PlugIns that Safari hasn't ".

Maybe PimpMySafary has not plenty PlugIng for Safari but it's a pretty new community. I found very useful tools in this site so I decided to share with you. I hope you will enjoy it ! :-D

Friday, February 1, 2008

PHP Downloader Vulnerability

Hi Folks,
this morning I wanna point out a very useful (ok, it depends :) ) vulnerability found inside some PHP Downloader. First of all Let me say what is a vulnerability: " We call vulnerability a bug with security implications " . So if your code has a bug probably it could be vulnerable at some kind of attacks. In this particular scenario the code looks like that:

No controls on file type, no controls on location. Just give the file's name and the file's path and it'll open it in read mode. This is a bug. Why this bug can been considered Vulnerability ? Because if you ask some specific System's files to this downloader implementation, it will give you every files you want.
Just for example you can try with the following URI (maybe someone has been fixed):

One of the previous URI gave me the following file which shows the passwd file of the machine. Here it is.

As you may see, from the users names, it's very easy to figure out which kind of services the machine has. For instance the machine runs clam AntiVirus, ssh server, virtual console, MySQL and so forth. For the most experts of you, it's easy forging this request exploiting the server asking for passwords' file and/or for system's files... Thanks to google, this bug which is just became a Vulnerability; can reach the MassVulnearbility status and - if coded inside a script - (for instance a perl script) it can become a Massive Exploit. Why I'm saying that ? Using google it's easy to find lots of different pages affected to this bug. Just typing : inurl:”download.php?file=*.pdf” you will find lots of download.php file. Now try to change some parameters on the URI bar and here we are ! You've just found plenty of vulnerable downloader scripts. Well, this post doesn't want teaching how to overuse this Vulnerability, it doesn't want teaching hacking and/or how to break security too. I wanna only say -through it- that, not every bug is a vulnerability and also not every vulnerability comes from a bug (let think to Social Engineering), BUT most of vulnerabilities come from developer and/or programming mistakes. For this reason it so important don't sleep a code.... trying to avoid this elementary security mistakes.... and it's so important having a good software engineering project behind your shoulders able to prevent and, at least, to correct quickly these mistakes.