For those of you who are interested, the second ha.ckers.org challenge is underway. Click here to begin the challenge. Every thing you need is under that directory, and even after the contest is finished you are still able to participate, for those of you who don’t like the pressure of doing something in a certain timeframe. The forum is open for people who want to chat about this while they work. For everyone else, good luck!

Update: And the results are in! Pretty amazing times for the first several winners, and I’ll have to post on our “special winner” Stefan who managed to actually hack the test. Congrats to everyone who won! A spoiler is now live for anyone who is completely stumped.

2:04:53: NoS (Sergey Novotarskiy)

2:06:51: Stefan Esser

2:17:50: AviD

2:20:31: Mario Heiderich

2:21:00: christ1an

3:13:14: kuza55

3:17:22: Jibbler

4:32:43: barbarianbob

5:58:31: David Lindsay

6:22:45: fidels

And since he asked so nicely to be mentioned, Jesper came in 11th with a time of 6:28:05. DoctorDan followed at 6:52:11.

It looks like Cenzic is suing SPI Dynamics (now owned by HP) over a patent infringement. Cenzic has patented fault injection. Cenzic obviously feels confident that SPI is infringing on the technology they have patented. It’s a strange move, given how many people have vested interesting in making this patent go away. Now that Cenzic has become litigious it seems like it would be in the best interest of the industry and indeed all companies everywhere that use other scanning technology to get the patent thrown out. At first I didn’t care about this when I first read about it but now that Cenzic has taken to suing companies, I feel compelled to take action.

Personally I hope that SPI wins this and the patent is thrown out for a number of reasons. I think the patent is both obvious, has been done prior to their claims and been invented by dozens of people and companies over the years who have released their findings under various copyrights and licenses (myself included - I built a number of tools that injected specific faults into systems as early as 1995 and let’s not forget SATAN written in 1993 and stuff like the PHF scanning worms in 1996). But most importantly it’s hostile to the industry as a whole. It would only make things far more difficult, inhibit innovation and reduce our ability to secure the Internet as a whole. I have nothing against Cenzic, but this patent must die. In the mean-time, until this patent is thrown out, you are taking a risk if you have built any fault injection scanning technology that does not license Cenzic’s patent. Everyone else, please submit your prior art to the comments of this post or to SPI’s lawyers as you see fit.

Okay, it’s time for the second round of the ha.ckers.org challenge. If you remember last time I didn’t do a particularly good job of giving people a head’s up that the challenge was happening. This time I’m giving you lots of warning. I also made it harder in a few small ways. id thinks it’s way harder, but we’ll see, I have a feeling it’ll be solved pretty quickly (it can theoretically be solved in under 5 minutes if you already knew how to solve it). Here is the exact time it will start. Please make sure you do the correct conversions into whatever timezone you are in:

Monday August 20th at 1PM Pacific Time (4PM Eastern Time).

This time I’ll be focusing less on HTTP and a lot more on “states”. That’s your one and only hint. When the clock strikes, I’ll remove the htaccess file and you’ll find the challenge sitting here. Feel free to use the forum to chat amongst yourselves before/during/after the challenge. id and I still haven’t come to agreement on the prizes, but if anyone wants to sponsor the challenge and give away some shwag, let me know. Otherwise it might be more tee-shirts since we still have a box full of them that we’ll need to give away at some point or another.

Again, the rules of the challenge and the directions are part of what you need to find. There are lots of things going on, and I tried to build on the same framework as last time, so having some familiarity with the last test might help you (or it might not). Either way, it’s tough, and requires work, so good luck to anyone who attempts it. For those of you who couldn’t figure out the last one, don’t bother with this one, this one uses many of the same principles. I hope you guys like it - we are already coming up with some pretty out of the box ideas for the next one.

If you missed our Blackhat talk the other day and wanted to hear it, Whitehat is sponsoring a webcast this Tuesday. It’s at Tuesday, August 21, 2007 at 11:00 AM PDT (2:00 PM EDT). This is going to be almost a direct repeat of our Blackhat talk, so for those of you who already made it, don’t worry if you miss it.

We’ll be talking about a lot of the same concepts that we’ve already talked about on our individual sites, so if you are up to date and current with this and Jeremiah’s site, you probably won’t learn anything, but for those of you who tend to be hit and miss on the site and the technology, it’s probably worth it for you to join in to see a lot of what we talk about come together.

I just can’t seem to avoid controversy lately. This time Billy Hoffman decided to take a stab at something I am still befuddled by. He claimed Jeremiah Grossman and I re-presented a paper from 7 years ago. Wow, I think someone must have missed our talk and/or failed to read the paper completely. We only mentioned timing attacks in passing and in totally different contexts. Further, I’ve never once claimed to come up with the concept of timing attacks. In fact, quite the opposite. If he had read my blog carefully he would have seen that I fully admitted I had first read about the concept of it in Hacking Web Applications Exposed 2. Then in Billy’s best showdown lingo I am given the ultimatum to put up or shut up. Eesh.

I’m really not even sure what Billy thinks we stole, because the one thing we talked about in regards to timing attacks was about measuring JavaScript error time to port scan intranets, which is a concept that is not once mentioned in the paper he cites. The paper is a really good one on other practical uses for timing attacks, however, it neither mentions intranets, nor does it mention port scanning. Not really the same application but similar techniques - you will get no disagreements from me there. I guess I could see why Billy could be confused. As a side note, as maluc pointed out this paper is where the concept of timing attacks originated and is far older than the paper Billy cites. Neither of which have much to do with our talk, but there you have it.

The only other thing I can think of that would confuse Billy is that we talk about our attacks as working with and without JavaScript. The paper Billy cites does mention a JavaScript-less version of an attack, but he was talking about using it to detect if you have been somewhere or not. Jeremiah and I have totally different (and far more accurate) ways to do that, which is actually what we discussed - we didn’t even touch on using timing attacks for that purpose because it’s so much less effective than the ways we have come up with over the last year and a half. Anyway, we didn’t claim to invent JavaScript-less attacks either. I know, I know, it’s crazy to think we came up with and built everything we said we did.

So just to cover my basis in the off chance someone can figure out a way I have trampled all over the intellectual rights of any of the aforementioned papers, I hereby cite Paul Kocher and Edward Felton for the concept of timing attacks, and Al Gore and ARPAnet for the concept of the Internet and every other concept my attacks have been based on over the years. Rest assured, unlike some people in this industry I never steal research, and if I do so inadvertantly, I own up to it and publically retract. I’ve done so dozens of times on my blog whenever I find out I am in error, whether I find my error on my own or when it is communicated to me, and that’s not about to change. And if I know that I am getting awfully close to copying someone else’s work, I always find a way to make it clear that that is what I’m doing. For the record I have no problem with SPI Dynamics - as I’ve been meeting more and more of them I’m getting to know and like them, Caleb, Michael and Jeff are all great guys. Even though we’ve had our bumps in regards to who originally came up with JS port scanning, which I am well beyond done arguing about, I actually like some of the stuff coming out of that camp. Anyway, this post probably isn’t interesting to anyone - unless you just happen to be trying to publically disparage our work… or something.

I’ve been absolutely buried since I got back. Let me try to race through the highlights. Firstly, if you haven’t seen Llana Grossman’s take on the con I suggest you do. It’s pretty funny actually. If you just want to jump to the pics, and avoid all the jibber jabber click here. So where to start?

id and I flew in on Tuesday, managed to find our way to our ghetto hotel (I do not recommend anyone stay at the Imperial Palace - although they do have a good Chinese place on the third floor). I ditched id who had to do work, and found my way over to Jeremiah’s room which vastly outclassed the Imperial Palace.

We all went down and got our badges, and managed to meet up with some Mozilla guys, some more WhiteHat guys and Robert E Lee from Outpost24 for dinner. Mozilla bought sushi for the table, as we talked about breaking the Internet. The speaker party was pretty fun, although I think a lot of people just wanted to bail to get a good night’s sleep. I know I did - we were second in the morning.

The talk went great - it was standing room only, and a few dozen people rushed the stage after it was over to ask questions. It was a really good audience actually. We showed how we could use a lot of the same old tricks we came up with a year ago without using JavaScript. I wanted to get an 0day up and running to explain why I could enumerate files on a Windows box without JS but I couldn’t get the demo working in time. Anyway, what I was able to show is how split VPN tunnels are dangerous. There’s a write-up on a potential (but fairly flawed) mitigation technique here. It’s flawed because it assumes you can block the things that bad guys are going to want to hack (like http://intranet/). To do so would break tons of functionality. But I encourage people to keep thinking about it.

There was another good thought that came out of it here, talking about safe cookies although cookies are only part of the problem. Kerberos, NTLM, basic and digest auth are all huge problems as well. Plus in many cases I don’t need any form of authentication whatsoever - that’s how my demo worked as a matter of fact. So good thought, but it’s a long way from getting us to where we need to be.

After it was over, id and I were having some interesting conversations about some of the other information leakage problems. I’d like to propose that we consider getting plugin manufacturers (noscript seems like a likely candidate) that have a concept of an intranet zone that prohibits referrers from being sent to Internet zones. Just a thought. It could also work in the browser, but I have a feeling it would break stuff.

I saw some good speeches - DNS pinning galore. I was actually pretty impressed by Billy Hoffman’s take on detecting DHTML malware. In talking with some hardcore AV guys, I think it’s kinda a lost cause, but it was a good take on a tough problem that not a lot of people have put much thought into.

As I’m sure you saw if you read my last post, we spent quite a bit of time talking with the Mozilla guys. They were much more interested in talking about Content Restrictions (if you’re unfamiliar with it, it’s basically a way to programmatically tell the browser not to trust your site - a concept I came up with 4 years ago and asked Mozilla to implement). They did, however, ask for me to come up with a few good things to implement. I’ll start another post on this in the next day or two when I collect my thoughts on the most valuable portions of that.

I hung out quite a bit with Dinis Cruz and a number of the other high level OWASP guys. I’ll probably end up doing a few OWASP talks and maybe a whitepaper or two with Dinis, but that’s gotta wait for some of the other stuff to settle down. The Microsoft party was a lot of fun - they got the entire top floor of Pure. I met a lot of interesting people and probably will be working on some interesting projects there. Btw, they also mentioned us on their security researcher thank you page for some of the vulns we’ve disclosed to them.

I also met Lance James (author of the anti-phishing book) for the first time. We’ve exchanged lots of emails and both belonged to APWG, but it was good to put a face to a name. Likewise with Portswigger (who built Burp Proxy) and I had a good long talk. Hopefully there is a lot more being built into the tool in a not too distant future. Rain Forrest Puppy and I chatted a bit about disclosure stuff. I think there may be more coming there in the not too distant future. Lots to be done!

Anyway, I came back with a fist-full of business cards, about 200 urgent emails, three new tricks, four new things to research and a ruined liver. All in all, it was a great time. More follow-ups to come.

A la Caezar’s Challenge, I wanted to create my own such challenge for the people who are able to attend Blackhat/DefCon and those who are unable alike. However, unlike Caezar’s challenge, this isn’t so much a better humanity type challenge - this is just a game for people looking to solve hard problems. The goal? Find the clues, solve the puzzle and win a ha.ckers/sla.ckers branded tee-shirt. If you aren’t coming to the con, no worries, we’ll ship you one. Here’s the ha.ckers.org challenge.

I must warn you - if you don’t know HTTP inside and out, there’s a good chance you won’t get past the first clue. It’s tough, very tough. I don’t expect anyone to solve it, although it can be solved in under ten minutes if you know what you’re doing. The rules are on the challenge. Good luck and see you in Vegas if you are coming!

Update: I’m going to cap it at 10 people. I’ll announce a list of winners that want their names to be mentioned along with how to solve the challenge once the answers come rolling in.

Update 2: We have our winners! In order of response :

WhiteAcid

Billy Rios

Shawn Lauriat

Tyler Reguly

Chris Soghoian

Ryan Platt

Wesley McGraw

Sid Stamm

Georgie

The spoiler is located here if you just want to know how it happened. Congrats to the winners. We had all of them in within just a few hours! Amazing! That definitely says something about the readership! This wasn’t an easy test. Maybe the next one will be harder.

Blackhat is coming in about a month and a half. Normally I don’t even talk about conferences until a week or so before I arrive, but Blackhat is a bigger event than most and there’s almost always a lot more going on there than the other cons. So, for those who are interested, here’s what I know and here’s what I’ll be attending.

Firstly, although Dan Kaminsky’s speech deoesn’t look like it, I talked with him last night, and he will actually be doing a pretty relevent speech to a lot of the stuff I talk about here, specifically anti-DNS pinning and fingerprinting applications. Definitely worth sitting through, even though I’d love to also see Jon Callas’ speech on traffic anaylsis - so I may have a spy go to that speech to take notes for me.

Of course I’ll be attending Jeremiah Grossman’s talk on Intranet hacking without JS - I maaay also make a special guest appearance during the talk if I can get some demo code together in the next month. No promises. If people really twist my arm I may sign some books too.

If I had to pick one of the two speches that Billy Hoffman will be doing I’d probably chose the one on web worms because I think that is far more cutting edge and new, as only a few web worms have surfaced. Although at the same time as that speech is Ariel Waissbein’s speech on ways to dynamically stop attacks using morphing web applications (a topic near and dear to me). So as a result I’ll probably end up going to Billy’s other talk on Premature Ajax-ultation instead of the worm one. I gotta show my support!

I’ll definitely be going to Widow Snyder’s talk on Making and Breaking the browser. If nothing else it’ll be interesting to hear her take on it. However, I also want to hit Stephen Patton’s power talk on social networking data mining, so I might float back and forth between those two talks.

I’ll probably hit up Scott Stender’s talk on blind security testing instead of David Byrne’s talk on anti-DNS pinning, because I don’t think there’s anything new in that speech, even though it’s definitely on-topic. After that David Coffey’s speech on creating a shoestring application security practice might be fun. I always like doing things on the cheap.

Lastly, if I’m not totally burnt out on Blackhat I’ll probably go to Rohyt Belani’s talk on the difficulty of intranet forensics (another topic near and dear to me because we are getting into more expert witness gigs). Plus I think Rohyt will give a good talk because it’s all anecdotes.

And when the doors close is when the party begins - namely the Breach sponsored OWASC/WASC party. If you haven’t already RSVP’d you may have trouble getting it as I heard 200+ people have already asked to come. I don’t have any idea how they are going to fit that many people into the Shadow Bar, so they may have to end up moving it, or spilling out onto the casino floor. If anyone hears about any other good parties, please let me know. Anyway, it’ll be fun and I hope to see a lot of you there!

I don’t generally do book reviews (maybe I’ll start if I have to do this much traveling in the future - since it will give me lots of time to read). In this case, the book was really on topic, if a tad out of date. Andres Andreu wrote a book in the 2005-2006 timeframe called “Professional Pen Testing for Web Applications” (I think he could have sold another 10k copies if he had spelled out “Penetration” instead of “Pen” but that’s neither here nor there). The book is actually a really good and quick read as there are lots of pictures and examples to drive the text along.

Normally I find it tedious to get through penetration testing style books, because the authors generally only talk about one or two tools (generally nmap and insert one or two other tools here) and stick with them for the entire book. Andres does a really nice job of talking about dozens of different tools and how they are useful from a web application security perspective. One section that I found a tad cheezy though was the ethics of what you can and can’t do during an audit. I don’t know why, but I’ve always found that stuff to be obvious. For instance while it does say extortion is not okay (I hope that’s also obvious to everyone reading this), it fails to mention bribery, rubber hose cryptanalysis, intimidation, kidnapping, murder, or a host of other things that actually do work and three letter agencies worldwide have employed. So don’t go looking at that chart as saying “Andres didn’t say I couldn’t.” The chart made me and id laugh. If anyone wants to sign up for that kind of audit, just let us know. We’ve got the blowtorch and the pliers standing by. The ethics section of the book was short, and it got better quickly thereafter.

Anyway, sure, some parts of the book are out of date, as you’d expect with a book written 1-2 years ago, but a lot of the book is timeless. The general tactics put in place, how the different threat modeling works, and how you document what you find is all good information. I’ve had my own way of doing things for years, but it’s always nice to hear someone else’s perspective. The best part of the book for me, was that since it was slightly out of date, I got to hear a lot more about technologies we tend to forget about since they aren’t used that much any longer. There weren’t many blogs detailing this stuff back then to read, so this is a bit of a blast from the past. Granted, he doesn’t talk at all about a lot of the more modern stuff since it didn’t exist yet, but I found it a really interesting refresher course in the way things used to be, and the way we should probably continue to think about legacy systems.

The cons are that he doesn’t discuss manual assessment using things like telnet hardly at all, focusing more on the existing tools, at least half a chapter when you add it all up is talking about buffer overlows without going into enough detail to actually show a working example in the wild, he talks quite a bit about SSL security (which really isn’t much of a problem most of the time), and it makes a big leap that you already know how to develop programs, run programs and have access to *Nix environments. That’s true in my case, and on the cover it even says “Programmer to Programmer.” Still it’s definitely not meant for a beginner with only access to Windows and no idea what Cygwin is. Overall, it was probably a four out of five star type book when it came out, but because it’s a little out of date it’s probably more like three stars now. Still, it makes a nice addition to the bookshelf, and it got my brain thinking.

There is an article on The Register about a phisher was was convicted of phishing AOL employees. You can go to the article to read the whole story. The part that I thought was amazing was not that he was phishing employees, or that he got caught, but that it was the first conviction under the Can Spam Act by a jury (there has been other convictions, but not by a jury).

Why CAN SPAM? Why now? CAN-SPAM defines SPAM as a “commercial electronic mail message” How is phishing a commercial electronic message? It may be fraud, but it’s certainly not commercial. To me it seems like a pretty worthless law, now moreso than ever. To me this law has always seemed like an easy out to explain why certain people are allowed to spam and why others aren’t without rhyme or reason. Yet have we seen a drop in spam? Do you feel comfortable putting your email address online without anti-spam filters in place to defend against the onslaught? I think not. Herein lies the failures of a useless law. This guy could have been convicted under a dozen other laws.

I felt the same way when I first read the law. One major problem with it is that it doesn’t deal with international spam. Instead of saying that anyone who spams is culpable and letting extradition treaties deal with the aftermath, CAN SPAM only applies to US citizens. How is that changing the problem? What if a US citizen is using offshore companies to do the deed for them? Clearly the CAN SPAM act needs a serious re-think in my opinion. Let’s either scrap it, or get a real law with some teeth. Perhaps one that holds ISPs financially responsible for hosting verified spam relays and hacked machines?