Bitland.Net Security Notes

Wilkins Law of Modern Life

Some of the renovations I've been doing around the house have lead me to believe this: If what you're doing sucks and isn't in a field invented this decade, then someone has invented a better technique or a tool to make it easier. If the tool is really expensive or the technique is hard to learn there are 2 corollaries: Corollary 1: If what you're doing is common, you can usually find someone with the appropriate tool or training to do it cheaply. If what you're doing is obscure, it'll cost you a lot. Corollary 2: If it's obscure and you have any interest or limited funds, learning it or building your own equivalent of the tool is a good approach. Corollary 3: Not having a clue how it's supposed to be done leads to novel solutions, some of which are better than any you'd be taught. I refinished my kitchen floors. They were cement underneath linoleum. Initially I used a solvent to get rid of the bulk of the glue and then sander to remove the rest. Then I discovered angle grinders and an area that had taken an hour, took me 5 minutes. Along the way, I also learned how to match cement colors, something that everyone I talked to said wasn't possible, but I've learned they probably meant not worth bothering with. I've also been messing around with video. Building a good steadycam can be done for $30 (or a passable one for almost free) or you can dish out $800 for one made by Steadicam.

Quick Build Hacks for OSX

When you're building code under OS X, there are a few changes you'll often have to make to the Makefiles.

LIBTYPE=dylib # instead of 'so'
SOFLAGS=-dynamiclib -flat_namespace -undefined supress # instead of '-shared'
LDRFLAGS=         # instead of -Wl,...
DLDFLAGS=-bundle  # instead of -rdynamic, -Wl,...

What nations are for

"The world is full of unimaginable horrors and humans being deprived from basic necessities and rights. The idea of a nation is to divide the world into blocks that are small enough that you could possibly do something about the terrible condition in which you and your fellow citizens exist." - a reasonable monkey patch. I'm not sure if this is a recent addition to the underlying Net::SSH library but I checked to see if the standard ssh configuration file was obeyed and it turns out that it is. All you have to do is add an entry like the following to your ~/.ssh/config file.

Host your.host.name
  HostName your.host.name
  User username

Quick Proxy, or Why I Love Ruby pt 9215

# Quick basic proxy, just strips accept-encoding header and dumps
# to files in the local directory using the WebScarab naming convention
# (0-request, 0-response ...)
require 'net/http'
require 'webrick/httpproxy'

s = WEBrick::HTTPProxyServer.new(
  :Port => 9999, 
  :RequestCallback => Proc.new{|req,res| 
    $count ||= 0
    req.header.delete('accept-encoding')
    open("#{$count}-request", "wb+") { |f|
      f << "#{req.request_line}#{req.raw_header}\r\n#{req.body}"
    }
  },
  :ProxyContentHandler => Proc.new{|req,res|
    open("#{$count}-response", "wb+") { |f|
      f << res.status_line
      res.header.keys.each { |k|
        f << "#{k.capitalize}: #{res.header[k]}\r\n"
      }
      f << "\r\n#{res.body}"
    }
    $count += 1
  }
);
trap("INT"){
  s.shutdown
}
s.start

Conducting interviews

I haven't interviewed anyone in a long time, but I had a thought today. The next time I do one, I'm not going to ask any coding questions or logic problems. Instead I'm going to ask a series of questions like:

VI or emacs?
How do you prefer to arrange your source repository and what SCM do you prefer?
Python or Ruby or?
Favorite programming font?
Tabs vs spaces?
Braces on the end of the line or on a new line and how do you indent?

And follow those up with an open ended why? If they can give an decent answer, the content will probably be irrelevant, or something that you've already heard, but the more I talk to bad developers, the more I realize how little they care about the environment in which they program. In contrast, the more I talk to really good developers (and the closer I approach that status) the more I see how much attention they pay to the smallest things in their environment and how that increases their productivity. They care about the code they are writing and they do the maximum to make it easy to focus on that code. They have an opinion on the interminable debates such as vi vs emacs and bsd vs linux. It doesn't matter whether we agree on editor choice because as long as they had a reasonable answer to why, they're more likely to churn out decent code than the guy who can whiteboard a quicksort. (Though it's known as the One True Brace Style for a reason...)

Ruby's equivalent of Python's setattr

I am still really new to Ruby but I'm jumping in with both feet. As a result I figured out metaprogramming before I knew what the ! operator did. Anyway, I was trying to find out the equivalent of Python's setattr when I came across Hal Fulton's 'An Exercise in Metaprogramming with Ruby'. That and some hints from a ruby-talk thread on attr_accessor allowed me to translate this Python code I'd written for dealing with MySpace profiles from:

print "Getting Profile Nodes.."
for p in ['ProfileMusic', 'ProfileGeneral', 'ProfileBooks', 'ProfileHeroes']:
  try:
    v = self.soup.first('td',id=p).string
    setattr(self, p, v)
  except:
    setattr(self, p, None)

Into this Ruby:

(page/"td").each do |t|
  tid = t.attributes['id']
  if /Profile([.]*)/ =~ tid
    pname = tid[7..-1].downcase
    pname = pname.gsub(/[ \/]/, "_").gsub(/[^\w]/, "").squeeze('_')
    instance_variable_set("@"+pname, t.inner_html)
    eval("class << self; attr_accessor :#{pname}; end")
  end
end

The Ruby uses Hpricot instead of BeautifulSoup, but is more generalized and OOish. I'm a little uncomfortable with the security of the eval, but the technique is useful and I couldn't google a better solution. If you have something better, let me know.

IEs4Linux

Check out IEs4Linux, a really easy to install set of Internet Explorer versions that will run on Linux under Wine. The build includes IE5, 5.5 and 6.

Switching

So I've made the switch, though not the one that most people in the security industry have made. Instead of going to Apple, I've gone to Ubuntu.

I used to use FreeBSD way back in the day, but switched to OpenBSD as my preferred Unix sometime in late 1996 or early 1997. I always had a PC running some version of Windows as well since there was always something I needed or (post vmware) that didn't quite work in a VM.

I made a couple of forays into the Linux world, but various things just didn't work properly. RedHat *almost* got it right, just before they abandoned desktop Linux and spun off the Fedora project. Mandrake got my hopes up for a little while and I had a file server using Loop AES that was a major improvement over my prior OpenBSD/cfs setup. But there was always some major issue with desktop Linux that made it unbearable for me. And while OpenBSD and FreeBSD were OK, they just didn't keep up with the apps I wanted. (For instance, OpenBSD gave up on VMWare ages ago and VMWare 3 is the latest they seem to support.)

I looked seriously at the Mac laptops, but the screen resolution and weight factors just didn't compare to PC laptops. The latest screens have some promise, but I've gotten pretty offended by Apple's treatment of the security community (Maynor et al) and their relationship with the RIAA/MPAA and their stance on DRM. (BTW, if you can get a DRM fix out in hours, you can do the same with security fixes...). But I digress ...

I've been running Ubuntu on my laptop (a Thinkpad X60 Tablet) and I can't say how much I like it. No major problems. VMWare 6 works beautifully. Disk crypto (in the form of Loop AES and TrueCrypt) are both happy. Video is solid. Drivers, including the one for my pre-N wireless card, work. The only thing that doesn't work is the pressure sensitivity for the pen interface in virtual machines, and that *does* work if I plug in a USB tablet instead of using the built in tablet, which isn't as good as the external Wacom tablet I use anyway...

Given my experience, I'm probably days away from killing my last physical Windows box and moving to Windows in VM's only.

OpenBSD will continue to be my server OS and run my mail/web servers, but I have to say that desktop wise, Ubuntu is my favorite.

Fixing the Firefox profile selection dialog

If you have a bunch of profiles, then the non-resizable profile selection dialog that pops up when you launch Firefox is a bit of an annoyance. To fix this:

On *nix - edit /usr/share/firefox/chrome/toolkit/content/mozapps/profile/profileSelection.xul around line 91

<listbox id="profiles" rows="10" seltype="single"
    ondblclick="onProfilesDblClick(event)"
    onkeypress="onProfilesKey(event);">
</listbox>

On Windows you have to jump through a few more hoops. Go to \Program Files\Mozilla Firefox\chrome and unzip toolkit.jar, then edit content\mozapps\profile\profileSelection.xul the same as above. I also changed the dialog style (around line 60) to read:

  style="width: 30em; height:400px;"

Then re-zip using store instead of deflate and replace the existing toolkit.jar file.

You can also download my firefox-2-toolkit.jar, if you don't want to do it yourself. All Firefox sessions have to be closed in order to replace toolkit.jar.

Glitch Attacks and Amateur Cryptographers

Nate's blog (rdist) talks about Glitch Attacks and links to some good papers on the topic. Basically, this is probably the most interesting general purpose cryptographic attack technique to come about in the past few years. By introducing fluctuations to the power supply or clock you can make the CPU execute a number of wrong instructions. If you can do this, you can recover a DES key with between 1 and 10 faulty ciphertexts. You can factor a RSA key with one.

The most fascinating thing is that this technique seems to have originated with the pay-tv hacking community, not from academics or conventional crypto researchers.

A Positive Review for ProxMon

Andre Gironda had some kind words for ProxMon, saying "Last month was web application security awareness month. Just as I predicted, probably some of the best tools for this year were released.
Jikto (Billy Hoffman, SPI Dynamics) being #1 and ProxMon (Jonathan Wilkins, iSEC Partners) being #2. Or maybe flip that ordering."

Thanks Andre!

Official Release

I've been on the road for a couple weeks now with unreliable net access but last Friday ProxMon was officially released at Black Hat EU.

CanSecWest 2007

ProxMon was accepted for CanSec this year, so I'll be speaking there as well. That's perfect because I've been missing Vancouver lately.

ScarabMon has been renamed ProxMon

When I started the project, it was just a couple of quick scripts that parsed the WebScarab log directory. Then I discovered that a couple of my co-workers had similar tools and I realized that there must be tons of auditors doing the same thing and so I started thinking about how best to generalize and simplify these scripts. Before long I was staying up until 4am every night hacking on the tool and finding ways to abstract everything.

I started looking at supporting other proxies a little while ago and have a couple cool demos for BlackHat planned.

The upshot is that the proxy interface is pretty well defined now and since I'm not just targeting WebScarab a rename made sense.

I've also decided on hosting. The tool will be up at Google Code because they have a nice wiki/bug tracker and support for subversion.

ProxMon's home @ Google Code

The one thing they don't have is a way to track downloads, so the distributions will be released off the iSEC tools page. It will be available the day I speak, which will be March 30th.

GMail supports perl style regex

I knew that Google's Code Search supported regex style searches, but I didn't realize that GMail did too.

Gmail supports a slightly different syntax than Code Search though. It's the perl syntax, so, if you're reading this, there's a good chance you're familiar with it. If not, you can read about perl regex syntax

As an example, if I want to quickly check that nothing related to my upcoming talk has been thrown in the spam filter (which it had, argh), but I didn't want to hear about windows vista warez, I could do:

blackhat OR scarabmon in:spam -/windows vista.*download/

A quick search on google doesn't show anything useful in the first few entries so I'm posting this in hopes of letting people know.

PS: for a great intro to google's code search, check out Dug Song's Static Code Analysis Using Google Code Search

UPDATE: I was wrong about standard google search, it's just gmail

ScarabMon at BlackHat Europe

I've been working on a new tool for automating web application penetration tests and I'll be presenting it at BlackHat Europe 2007.

You can check out the ScarabMon abstract

I hope to have the web site up soon, but if you have questions, just email me (jwilkinsatbitlanddotnet). I'll also be looking for beta testers pretty soon.

Fourmilab Releases Ent - Randomness Testing Utility

Ent is available here and looks like a good alternative to Diehard or the NIST STS suite.

IE not much better in 2005 or 2006

Brian Krebs' Security Fix blog did some followup on the scanit.be report on 2004.

Apparently IE fared slightly better in 2005 and 2006, but not remotely well enough.

IE had 109 days where it was *not* vulnerable to a published exploit. For more than 2/3 of the year, you were simply screwed if you were running IE.
Even worse, it was known to be vulnerable to actively exploited vulnerabilities for 38 days.

2006 was worse again, though not quite as bad as 2004. In 2006, a fully patched IE was only safe from published vulnerabilities on 81 days of the year.

Overall, if you were running IE from 2004-2006, you would have been in danger 898/1095 days and only safe on 197 days.

I didn't see similar statistics for Mozilla for the same period in Krebs' posts, so I hope he does a follow up post.

Fully patched IE safe only 7 days in 2004

I can't find a date on the article, but the folks at scanit published a paper on browser security in 2004. They went through public security resources and tracked the lifetime of various browser vulnerabilities. They found that even if you installed all available patches as soon as they came out, if you were running IE, you would still have been vulnerable to publicly disclosed code execution bugs on all but seven days.

Given the amount of auditing that IE7 has recieved, I expect that it will fare much better, but this is the sort of thing that has prompted MSFT to invest as much as it has over the past few years.

Other browser manufacturers fared better, but nowhere near what they should have done.

If you were running Opera, you could have been owned via publicly disclosed bugs on 65 days.

Mozilla had the best record of the major browsers, being vulnerable 59 days of the year.

While that's a major improvement, if you were running Mozilla, you were vulnerable 2/12 months.

To recap, vulnerable days by browser:

IE (358/365)
Opera (65/365)
Mozilla (59/365)

Cybercrime nets more than illegal drugs in 2004

I just read here that in 2004 computer crime exceeded the illegal drug trade in revenues. Apparently the take was around $105 billion.

Multiple Instances of Portable Firefox

Firefox Portable is great when you want to test against prior versions of the browser, but by default it doesn't allow multiple instances. This means you can't run it alongside your current version of Firefox or under different profiles simultaneously. In order to fix this, just copy the file FirefoxPortable.ini from the Other subdirectory of your portable Firefox installation to the same directory as FirefoxPortable.exe and change the AllowMultipleInstances line to true.

Only allow GET and HEAD requests under Apache
Disallowing TRACE under Apache is a standard requirement for most sites these days due to Cross Site Tracing (XST). Most pages that make this recommendation suggest using mod_rewrite (./configure --enable-rewrite) and an entry in httpd.conf like the following:
RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F]

This is fine, but lots of times the other verbs aren't needed anyway. Given that, why allow them?

Here's a better ruleset:
RewriteEngine on RewriteCond %{REQUEST_METHOD} !^(GET|HEAD) RewriteRule .* - [F]

You may need POST or other methods, but it's simple to add them. Also note that if you're using virtual hosts, you have to place this in each VirtualHost section as it's not inherited by default.

Tinfoil Hats *Magnify* Radiation
Just linking this piece of silliness because I read it over the summer and then lost it and needed it in a conversation recently.

MIT grad students investigate the effectiveness of tin foil hats "Overall, the foil effectively weakened radio waves by up to 10 decibels over most of the frequency spectrum (there were no significant differences among helmet shapes). But at 1.2 and 2.6 GHz which fall within the band reserved for government satellites, GPS systems and mobile phone corporations passage through the foil amplified these waves by 20 to 30 decibels"

GET considered harmful
Ok, it's not quite that bad, but I'm seeing a ton of web application developers making the same mistake in the use of the GET method. Essentially, GET is only supposed to be used in cases where no data is being changed on the server. This is spelled out in the HTTP RFC (see RFC 2616 section 9 for details), and is responsible for at least a few major bugs over the years. I even recently came across this error on Yahoo's Developer Security Best Practice page (see the Request Forgery section).

The HTTP/1.1 RFC says that GET and HEAD in particular are supposed to be safe and idempotent. This means that they should not perform any action other than retrieval (safe) and that there should be no side effects of multiple calls (idempotent).

The most famous error of this type was when Google released the Google Web Accelerator (GWA). This broke a ton of applications and particularly those that were based on Ruby on Rails since applications built with Rails were especially prone to use GETs to perform actions.

In order to speed up the user's experience GWA would pre-fetch all of the links on a page. This was great for images and so forth, but Rails applications were doing things like deleting records and cancelling accounts through GETs.

The authors of some web applications made things worse by relying on JavaScript confirmations. Of course, GWA (correctly) wasn't doing JavaScript.