Sunday, October 31, 2010

A great sunday reading.

Folks, today I suggest this interesting reading entitled: E-voting: How secure is it?

"One of the great fears in an internet election is that you are exposing our votes to manipulation by foreign powers," said Jefferson. "I just consider this to be a major national security risk; a totally unnecessary, needless risk and it's shocking to me that election officials turn away from this. They don't want to hear it, and they certainly don't want to do anything about it."

Short, incisive and clear. Take a look.

Friday, October 29, 2010

The Nerdest Clock I Have Ever Seen !

how funny is this clock ? Round(p) made me laugh for hours :D !!

Thursday, October 28, 2010

Firesheep, amazing simplicity.

Probably everybody already know what firesheep is. Announced at Toorcon 12, it is a session sniffer and hijacker firefox plugin.

If you are an "hard-core" hacker probably you are thinking: "WTF is that ? Where is the innovation in a Freaking session sniffer and/or hijacker ?". Well, I say nothing. It is nothing new per-se, but it is easy, extremely easy to use. With this well done tool everybody will be able to hijack sessions over HTML stream. So yes, nothing new but it is a really really well done nothing new. Before firesheep the probability to have a hijacker in the internet point down your street was pretty low, now is going to be pretty high. I wont say that to prevent this attack is enough an SSL encryption, I wont say that you need to pay attention to certificate spoofing and to HTTPS-Splitting techniques, I just wanna point out that we've just reached the feasibility threshold another time.

Now it's time to build new security weapons....

Tuesday, October 26, 2010

Yet Voting Machines Implementation Issues

Las Vegas, Nevada, a too much sensitive touch screen grabs unwanted "clicks".

Voter Joyce Ferrara said when they went to vote for Republican Sharron Angle, her Democratic opponent, Sen. Harry Reid's name was already checked.

FOX5 news explains everything in the following video.

Sunday, October 24, 2010

A Great Interview (RSA 2010)

Folks, here a very nice Bruce Schneier's interview.

From Authentication to FaceBook Authorization. Take a look !

FaceTime for MAC. Huge Security Hole

FaceTime enables MAC users to communicate through video via MAC, iPhone and iPod Touch.

Macworld Germany has noted that once a user has logged into FaceTime for Mac with his or her Apple ID, the password on the account can be changed from FaceTime without knowledge of the old password, leaving the account ripe for the picking by any passersby of the physical computer.

The sabotage of an Apple ID is as easy as navigating through FaceTime's preferences menu to the "View Account" page. Once there, whoever happens to be sitting at the computer can change the associated account password.

As long as the password satisfies all the security rules, the change instantly applies across the Apple ID account. For example, changing the password in FaceTime and subsequently accessing the iTunes Store will result in a prompt from iTunes to re-enter your password, and the old one will not work.

Signing out of FaceTime won't help, either—the program saves your password to the field, and there's no way to opt out of password memory. FaceTime will not let users delete the only e-mail address associated with the account, so if you've already signed up, you're kind of stuck.

If your account is hijacked, the worst-case scenario is your tormentor going on an iTunes Store shopping spree on your dime. If you're wise to the password change, you can flip the password back just as easily. Still, you might want to maintain constant vigilance until Apple releases some kind of hotfix. Especially if the office prankster asks if he can use your computer to FaceTime with his sick grandmother.


Wednesday, October 20, 2010

Malware2010 Status + SMAU.

I did not go to Nancy (Malware2010), France to present my paper on MultiStage Malware, because France is totally unaccessible cause global strikes. I will definitely wanna try next year, I really would like to present (in person) some works of mine to Malware conference. This year I sent back a video within my presentation... nothing really exiting, I know. I wanna apologize to all the folks who are watching right now the presentation.

Fortunately or not, I have another backup travel to Milan. During this time period I had two overlapping travels, so died the first one I've switched on the second one. The second one is to SMAU 2010 to present another work of mine. Lets go there and see if Italian railways are better than the French ones... for tomorrow...

I will be at SMAU tomorrow and the day after tomorrow.. If you are in Milan please come to say hello ! :)

Monday, October 18, 2010

PinDr0p: Voice-routing Call Fingerprint System.

A very good research, headed by Georgia Tech Institute: PinDr0p.

It works by analysing the various characteristic noise artifacts left in audio by the different types of voice network - cellular, VoIP etc. For instance, packet loss leaves tiny gaps in audio signals, too brief for the human ear to detect, but quite perceptible to the PinDr0p algorithms. Vishers and others wishing to avoid giving away the origin of a call will often route a call through multiple different network types.

The PinDr0p analysis can't produce an IP address or geographical location for a given caller, but once it has a few calls via a given route, it can subsequently recognise further calls via the same route with a high degree of accuracy: 97.5 per cent following three calls and almost 100 per cent after five.

I believe it might be very interesting for Prof. Cerroni or Dr. Campi. Guys, take a look here, and here

Wednesday, October 13, 2010

The Connector number 3 (iPhone 3Gs)

After 4 emails in a row I decided to write this little post on connector 3. Of course I am talking about iPhone 3G(s). Some friends of mine asked me how to reassemble the connector 3 once you disconnected from it the speaker cable.

Actually, it is not hard really. You just need to remember that the connector has 2 positions: (1) Closed position, where it holds the cable and (2) Open position, where it lets free the cable to move-in and to move-out. With a little and flat screwdriver you might be able to shift it from position (1) to position (2) and vice-versa. Please watch out, this operation is pretty delicate. Once you got your connector on position (2) you can try to put inside the cable number 3 into it without disassembly anything. The connector has been developed in the way that its cable will fits perfectly, so do not worry you can fit it without any additional disassembly operations.

My trick. I lay the left size of the cable on the connector. I push it little bit hard assuring the left side of the cable fits in. Then I force a little bit the right size of the cable. By forcing the right size, the left one will go back a little bit but I got the result that all the cable is into the connector. After I got that, I just push all the cable into the connector. It's time to switch the connector to position (0).

Here a little curiosity; the iPhone connectors 3 (the number 3) are not all equals.

Well, I don't know why, probably a different productions ? Or does Apple changed production company on the way ?
But anyway, it happens that you might broke the connector 3, so If you need a new one, here you can buy it . Here is gonna be pretty difficult. I've never broken the connector number 3, so I have no experience on its replacement. I can only suggest you this web site, it explains pretty well how to do that. Have a nice assembly ! :D

First Multi-Stage Malware Ready

Yes, I am ready for showing it up to Malware2010 conference.

I am not sure about the reactions, so far I've got very good and very careless reactions ... we will see.

Tuesday, October 12, 2010

Just Fun !

Hey folks,
this morning a friend of mine pointed me out this image on my Facebook feeds. That is hilarious !

From PhD-Comics.

Friday, October 8, 2010

libc Implementation Bug.

A flaw in the implementation of the glob() function in various C libraries (libc) can be exploited to remotely cripple FTP servers. As many FTP servers allow anonymous log-ins, and the flaw is said to be easy to exploit, many servers are at risk of falling victim to the attack. A report by security specialist Maksymilian Arciemowicz says that even large FTP servers such as those run by Adobe and HP are affected. The problem exists because GLOB_LIMIT, a feature added in 2001 to limit the amount of memory used by the glob() function is ineffective. Globbing, as it is called, calls on the glob() function to match wildcard patterns when generating a list of matching file names. Because GLOB_LIMIT is not effective, it potentially allows a system's main memory to be flooded when processing certain patterns and this may, depending on the hardware used, cause the system to become very slow, cease to respond or even crash as a result.

From SecurityReasons we get the fully documented explanation.

But lets see an example:

> telnet 21
Connected to
Escape character is '^]'.
220 FTP server (NetBSD-ftpd 20100320) ready.
user anonymous
331 Guest login ok, type your name as password.
pass anon@cxib
The NetBSD Project FTP Server located in Redwood City, CA, USA

230 Guest login ok, access restrictions apply.

this request will generate 100% usage of process a long time. ftpd come
into glob(3) and will not fast out. Very similar sympthon was described in
vulnerability for glibc strfmon(3)

- - --
Interesting is that the PHP memory_limit has no control over what will
happens in the level of the libc. Function strfmon(3) can allocate a lot
data in memory without control by PHP memory_limit.

For example:
php -r 'money_format("%.1343741821i",1);'

will allocate ~1049MB real memory.
memory_limit can be less that 1049M
- - --

ftpd also dosen't control what will happen in libc.

so it is enough to send
- ---
USER anonymous
STAT */..[calculated pattern]
- ---

and disconnect to connect again (bypass firewall limits). In php we can
also bypass max_memory_limit by libc vulns.

Attacking machine in this way, we can call the various side effects.

BIOS Passwords Backdoors

another interesting blog post. I just need to quote it.

The dramatic 'System Disabled' message is just scare tactics: when you remove all power from the laptop and reboot it, there are not new penalties such as additional passwords, locks and so on. From such a checksum (also called "hash"), valid passwords can be found by means of brute-forcing. Another method commonly used is that instead of a checksum, a number is displayed from which a randomly generated password can be calculated. Quite often, vendors also resort to storing the password in plain text, and instead of printing out just a checksum, an encrypted version of the password is shown.

Thursday, October 7, 2010

Hacking the D.C. Internet Voting Pilot

A group of well known researchers in eVoting systems security from Michigan University found a huge vulnerability (they define the vulnerability "little", but really it isn't little) in D.C Internet Voting Pilot Project.

They found a vulnerability in the way the system processes uploaded ballots. They confirmed the problem using their own test installation of the web application, and found that one could gain the same access privileges as the server application program itself, including read and write access to the encrypted ballots and database.

The problem, which geeks classify as a “shell-injection vulnerability,” has to do with the ballot upload procedure. When a voter follows the instructions and uploads a completed ballot as a PDF file, the server saves it as a temporary file and encrypts it using a command-line tool called GnuPG. Internally, the server executes the command gpg with the name of this temporary file as a parameter: gpg […] /tmp/stream,28957,0.pdf.

What they did has been :

WE realized that although the server replaces the filename with an automatically generated name (“stream,28957,0” in this example), it keeps whatever file extension the voter provided. Instead of a file ending in “.pdf,” we could upload a file with a name that ended in almost any string we wanted, and this string would become part of the command the server executed. By formatting the string in a particular way, we could cause the server to execute commands on our behalf. For example, the filename “ballot.$(sleep 10)pdf” would cause the server to pause for ten seconds (executing the “sleep 10” command) before responding. In effect, this vulnerability allowed us to remotely log in to the server as a privileged user.

J. Alex Halderman continued with some reflections on Internet Voting Security, which I simply quote, I cannot agree more than that.

The specific vulnerability that we exploited is simple to fix, but it will be vastly more difficult to make the system secure. We've found a number of other problems in the system, and everything we've seen suggests that the design is brittle: one small mistake can completely compromise its security. I described above how a small error in file-extension handling left the system open to exploitation. If this particular problem had not existed, I'm confident that we would have found another way to attack the system.

None of this will come as a surprise to Internet security experts, who are familiar with the many kinds of attacks that major web sites suffer from on a daily basis. It may someday be possible to build a secure method for submitting ballots over the Internet, but in the meantime, such systems should be presumed to be vulnerable based on the limitations of today's security technology.

Wednesday, October 6, 2010

L517: window wordlist generator

This is kind of cool.
I've just used l517 and it works fine. It's a simple wordlist generator for windows, it does anything exceptional, but it does it work in a very complete way.L517 contains hundreds of options for generating a large, personalized, and/or generic wordlist. With L517, you can generate phone numbers, dates, or every possible password with only a few clicks of the keyboard; all the while, filtering unwanted passwords.

It is a must to remember web link.

Sunday, October 3, 2010

MasterCard and Visa sites bitten by XSS bugs

Yes in 2010 still happens !

XSS bugs on the websites of the world's largest payment/credit-card proccessors are unacceptable. Most of the world's financial institutions issue a Visa or a MasterCard to consumers. Even if their vulnerable sites do not hold real personal or financial information about consumers, malicious people can still leverage the XSS bugs with phishing

Via "xssed"