Cenzic 232 Patent
Paid Advertising
web application security lab

Archive for the 'Random Security' Category

BOFH - The Tin Whiskers Excuse

Monday, May 3rd, 2010

This post is a bit out of left field compared to what I normally talk about, but I hope some people get some value out of it. If you don’t recall the BOFH (bastard operator from hell) series, or haven’t been in the industry long enough to happen across it, you should read some of the old stories, if you need a laugh and a several hour long distraction. The basic premise was that the lazy operator would find any and every reason to do the opposite of what people wanted especially if it let him play video games at his desk. Death and destruction of the clueless and their home directories would often ensue.

Enter tin whiskers (lots of pictures). Tin whiskers are a vaguely-understood electromechanical process that is related to the use of completely tin solder as opposed to tin-lead amalgam solder. It is a problem that has been known for a decade or more, but it is becoming more pervasive due to a rise in reliance on electronics. Because of the near outright ban of lead based solders in some places in the world, the completely tin process has led to an increase in faults. Tin whiskers can cause short circuits and even metal vapor arcing which can literally fry electronics.

Some of the issue around education of the issue is around planned obsolescence - the computer industry expects that people will just replace their computers with new ones when new ones become available. A hardware failure is just another kick in the butt to shell out for that new Mac Book Pro you’ve been drooling over. People always want the best and greatest and this is reason enough. But the problem is there is a lot of hardware out there that runs a lot of what we rely on that will stay in place for a decade or more in some cases. If it ain’t broke don’t fix it, right? The problem is that it will break, and it’ll break in unpredictable ways.

Routers, switches, database servers, UPS systems, emergency sensors, orbital satellites, SCADA systems, cars, airplanes, etc… etc… Our jobs, and more critically our lives, literally depend on a lot of physical hardware to function. Unfortunately, a lot of this tech relies on scary build processes that are destined to fail.

So if you are the BOFH and you really want to take the rest of the week off or you really want an excuse to get rid of some piece of hardware that has been a thorn in your side for years now, you now have a new plausible excuse to give management when you throw that machine in the trash - tin whiskers. For the rest of us, perhaps we should be careful to build redundancy into our hardware designs and our computers/networks to lessen the impact of this pervasive design fault. This is just another reason to build in redundancy. And with that, I hope everyone is having a good week!

Just Another Day at ha.ckers.org

Friday, April 16th, 2010

I don’t think I need to introduce this email, I think it speaks for itself:

Valued Road Runner Business Class Customer,

This email is in regards to the Time Warner (Road Runner) account for the following location

–snip–

The Road Runner Abuse Control Department has received a complaint of network abuse originating from a computer connected to your cable modem. We recognize that most Internet abuse complaints are the result of computers infected with viruses/worms or compromised by a trojan horse( a.k.a. “trojan” for short). Trojans allow malicious third parties to gain access to your system(s) for the purpose of using your Internet connection to intentionally commit the abuse in question. The abuse commonly comes in the form of either unsolicited email ( a.k.a. “spam”) or port scanning (connection attempts to other systems across the Internet for the purpose of finding vulnerable systems to infect or exploit). However, if not addressed in a timely manner, your machine(s) potentially may be used for other more illegal activities

A portion of the complaint we have received is copied below for your review:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|date |id |virusname |ip
|domain |Url|
+—————————————————————————
——————–
|2010-04-14 02:20:04 CEST |514019 |unknown_html_RFI
|71.41.152.29 |ckers.org |http://ha.ckers.org/xss.js

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If your recognize this activity and it was intentionally sent, you may be in violation of our Acceptable Use Policy (AUP) and it’s important that you contact us immediately to discuss. If you do not recognize this, you likely have a compromised or infected system connected to your cable modem and will need to take action to clean and secure all Internet connected-computers as soon as possible. We take these complaints very seriously and further substantiated complaints could, at some point, require us to disable your cable modem in an effort to protect the integrity of our network. We obviously have no desire to interfere with your ability to conduct business and would prefer to not take such action, so please pursue whatever measures are necessary (up to and including the formatting of hard drives and/or assistance from a third party IT professional) to correct the problem with due urgency.

If it would be helpful, Road Runner does offer free anti-virus and firewall software for commercial use. You will need your Road Runner account information to register the software, so you may need to contact your local Time Warner office for assistance. For more information, please visit the following link:

http://www.rr.com/pss

Additionally, we have a suggested course of action on our Website, but please be aware that it is intended for use by residential customers to clean a single computer and may not be feasible for use in a commercial environment. Moreover, some of the suggested software is licensed for personal use only. We cannot accept responsibility for compliance with software licenses, so please be aware of rules and restrictions related to the installation and use of any applications suggested. If interested in this course of action, please visit the following link:

http://www.rrsecurity-abuse .com

If you have a network connected via a router, you may be able to view the router logs, looking for either a large amount of email activity or the port scanning activity specified above. This may indicate which computer is the offending system and thus help you simplify the solution.

The corrective action taken is entirely your responsibility. We are merely making contact to alert you to the problem in an effort to both protect our network and enforce our policies. But we ask that you do take corrective action as soon as possible and contact us to advise, preferably by simply replying to this email. Also feel free to contact us with any questions you have regarding this issue.

Thank You,
Time Warner Cable (Road Runner) Abuse Control, Regional Office
twcsecurity-abuse@texas.rr.com
1-877-588-8508

I didn’t realize 2 lines of completely benign JavaScript that can be included on websites is now considered abusive. I can’t wait until someone ads Google Adsense as unknown_html_RFI. If you know who submitted this, please smack them upside the head for me and then sit them down and help them find a job that doesn’t require a keyboard. kthanksbye.

AT&T UTMS JS Injection

Monday, April 12th, 2010

This isn’t exactly an exploit, but I’m sure after reading it, some people will feel like it is, or at minimum it might make people feel uncomfortable. It appears when users connect through AT&T UTMS wireless cards, the system man-in-the-middle’s the connection, and not only does it downgrade the image quality for performance reasons but it also injects a piece of JavaScript located at http://2.2.3.4/bmi-int-js/bmi.js (not live on the Internet). If you’re anything like me and you see a piece of JS installed in your website that you know doesn’t have any JS on it at all, you’re thinking you’re owned at this point. Alas, you probably are owned, but it’s in an effort to save your bandwidth. You can download a zipped copy of this JavaScript file here.

The real questions are when and how this page gets cached, and who owns 2.2.3.4 when it’s not being MITM’d (when you switch from UTMS to another network), and on and on. Incidentally, I tried to do directory transversal and go to http://2.2.3.4/ to see what else might be on that page and it banned me from going there and to the JavaScript file for the rest of the session. Why? Probably to stop guys like me from hacking whatever server that is and MITMing everyone on AT&T’s UTMS network. Clearly reducing the size of the page, is good for them, and is good for some percentage of users who don’t care about the potential issues here. And for the rest of us, we’ll continue to tunnel our traffic so we can avoid AT&T’s MITM craziness.

Update: a few people have sent me a link that this also is happening on other networks as well.

Safari Integer Overflow Aids Inter Protocol Exploitation

Monday, March 29th, 2010

This has been out there for almost a week, but I thought it was worthwhile to talk about a little bit. Safari has a typical integer overflow in the way they look at ports. So if you add the number 65,536 to the port you want to connect to (in this case 25 + 65,536 = 65,561) you can bypass their port blocking. The guys at Goatse Security [NSFW] found a way to use the old Inter-protocol exploitation attack against sendmail all over again.

There are a lot of implications here - first of all, port blocking is wildly insufficient. It’s not on all browsers, and even if it were, blocking 100 out of the 65,000 potential ports is just asking for problems. Secondly, no one is doing this sort of research. There are a ridiculous amount of services out there that may be forgiving enough to allow a browser to “speak” to them, but I don’t see anyone outside of a handful of people, like Weev, Wade Alcorn, Samy Kumkar, Aaron Weaver and myself doing this kind of research. There’s literally thousands of potentially exploitable services out there! It could take years at this rate to even map out the issues with the privileged ports. Scary. Lastly, the port blocking that is in place, is obviously not working either - because we’ve found more than one way to bypass it (first using FTP instead of HTTP in Mozilla and now integer overflows in Safari). Feels like a huge can of worms to me that would be better solved with a whitelist instead of a blacklist.

ControlScan Settles with the FTC

Friday, March 26th, 2010

Got this in the mail today from ControlScan:

This letter is to tell you that we recently settled Federal Trade Commission (FTC) allegations that certain of our privacy and security seals were deceptive. Among other things, the FTC, the nation’s consumer protection agency, alleged that our Privacy Protected, Privacy Reviewed, Business Background Reviewed, and Registered Member seals falsely claimed to consumers that we had verified the privacy and security of the websites displaying them, when, in many instances, we had not.

We already have discontinued these seals, so you should not be displaying them. If you are still displaying any of these seals on your website, you must remove them immediately.

You may continue to display the Verified Secure seal.

If you have questions about this matter, please contact Joan Herbig at –snip–.

Sincerely yours,

Joan Herbig
Chief Executive Officer
ControlScan, Inc.

It’s interesting that the FTC has been looking into this - I’d be curious what sort of other security business practices are getting scrutinized. Could this be a new wave of deeper enforcement? There are certainly a lot of faulty business practices in security - so there would be no end to the possibilities there for an agency that just wanted to make a point.

Effectiveness of User Training… and Security Products in General

Wednesday, March 17th, 2010

It’s not every day I come across real wisdom in research but I saw a link yesterday to So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users which is a research paper written by one of the guys at Microsoft. There are some amazingly choice quotes in there, like:

as far as we can determine, there is no evidence of a single user being saved from harm by a certificate error, anywhere, ever. Thus, to a good approximation, 100% of certificate errors are false positives.

Priceless… Mozilla - take a word of advice from the MS guys and make your invalid SSL cert flow 1000% less annoying please. Anyway, another one of the quotes I thought was even more interesting:

If phishing victimizes 0.37% of users per year and each victim wastes 10 hours sorting it out, to be beneficial the daily effort of following the advice should be less than 0:0037 x 0:5 x 10=365 hours or 0.18 seconds per day.

So… if .18 seconds per day is too much, let’s take a look at what our anti-phishing technologies are doing. Let’s say they take up 2 whole seconds a day to download their lists, and verify that the sites you browse aren’t on that list, while you are surfing and trying to boot up and shut down browser processes, etc…. We are talking about more than 10x delta between what it should actually take. Further, let’s do the math on what would happen if anti-phishing went away. How many times worse would the phishing black market be if anti-phishing filters went away entirely and phishing was instead dealt with the registrars, ISPs and the brand owners themselves? Three times? Five times? Would it go to ten times? Would it go to more than ten times to make it actually worthwhile from an economic perspective?

How about UAC in Windows? How many seconds has that added to everyone’s day to stop the threat of malware? Does it add up and does it actually stop malware infections for the additional time it incurs? What about Anti-virus? Are we operating in a deficit or do those security products actually prove themselves to be worthwhile for the entire public? I know this is really tricky math based on an insane amount of variables, and it very might well prove out that some products are a no-brainer because they don’t add time or latency. But I do suspect there are a lot of things that we tend to think of as good ideas that actually end up being worse for the end user if you do the math. I know the article was really talking about user education being a bad idea economically (and I couldn’t agree more based on every study I’ve seen or been a part of). But it’s still interesting to think about how a similar formula could be applied elsewhere. Thought provoking research anyway.

RSA Conference Wrapup

Monday, March 8th, 2010

Well another RSA Conference has come and gone. Lots of vendor noise about their product being the only secure one on the market, and other nonsense, as is to be expected. Although I did notice a bit of realism this year. It did seem like everyone had eaten a big helping of humble pie, which was refreshing. Even the sales guys weren’t making as hard as a pitch as I’m accustomed to. So all in all, it was a good time. Lots of drinking, lots of good conversation, and I even managed to sneak in and see Jeremiah’s presentation on the top 10 new webappsec vulns from 2009 (how he managed to fit that all into 50 minutes still boggles the mind). I didn’t make it to as many parties as I would have liked to this year - maybe I’m getting old, or maybe I started drinking too early. Either way…

One notable quote was from Howard Schmidt who said, “There is no cyberwar,” but I don’t think he ever defined what a cyberwar would look like - so I don’t know how we’ve decided we aren’t in the midst of one. Maybe he’s absolutely right and we aren’t in the middle of anything like a war (just the low rumble of espionage), but I’d like to hear his definition one way or another so that I can know when I should start being outraged.

But I wanted to do a quick writeup on the RSA Conference registration computers themselves, while I was thinking about it. For some reason, my entire life, I have just assumed programmers think the same way I do. Then I am always annoyed to find out they don’t. Physical security is tough, don’t get me wrong, but kiosks are one of those things you really need to be careful to protect from physical tampering and logical attacks. Anyway, I was sitting there waiting for one of the pages to load, and it was taking forever. Because there was no onscreen indicator that it was waiting, I started wondering if the form was even working at all, or if there was some dumb JS error or something else that would cause the page to never load. So I clicked on one of the links at the top in the navigation and it gave me a “Diagnose Connection Problems” error and worse yet, it popped out of the Kiosk mode. Never a good sign. It looks like they’re protecting the application from most classes of attacks simply by disallowing outbound network access. Let’s assume there were no way around that for a second (and I’m not convinced of that, incidentally).

Most people would probably say that security is good enough. Any attack I could mount would be useless because I couldn’t exfiltrate the data off of that machine. Oh, but it’s not that simple. For that application to work it must be able to contact the site in question (the registration portal). That portal has access to a database. As such, the database itself is essentially dual-homed (on the Internet and on this Kiosk intranet). So all I should need is some JavaScript malware to steal people’s information as it pretends to register them, and instead log the data into my database fields. I can be somewhere else and check the records in the database for my account, and poof - I have access to whatever data I wanted to log. I can get JavaScript execution by simply typing it into the URL bar and just like magic, I have a way to steal conference registrant’s information. And there’s the cookies and any other tampering I might be able to do in the config options in IE. It’s definitely NOT a huge deal, but rather just another example of how it’s incredibly complex to build a truly secure browser based kiosk system that can defend against determined attackers. No identities were stolen in the making of this post. Now, back to work!

Banks, Businesses, Viruses and the UCC

Wednesday, February 24th, 2010

There’s an interesting post over at Krebs On Security talking about some poor company that is going bankrupt because TD Bank allegedly will not give them their money back after it was stolen out of their account. Now, I wish I could say this concept is totally foreign to me, but unfortunately this isn’t the first time I’ve heard this story. I’m under NDAs not to describe the people involved, or the bank involved, but the important details are nearly identical to this story. Why is this happening?

There is a little known code call the UCC (Uniform Commercial Code) that essentially says that if you are a business and you want to do wire transfers you are essentially to be treated as a bank. You are probably wincing right now, because it’s just as stupid as it sounds. Note that this is not true for consumers - but even if your business consists of even one person, you still are treated as a bank. As such, if your company has money wired out of it’s account, the bank isn’t to be held liable - or at least that’s been their argument. This is happening all the time, so why aren’t we hearing about it all the time? Well that leads me to the worst part of this story.

The banks have essentially two options if a company takes them to court. They can win the case, or they can lose the case. If they win, that leaves the company in question free to say and do whatever they want (as is the case with TD Bank above). If they lose the case, it essentially creates precedence and can open the bank to class action lawsuits to overturn the UCC. Either way, it’s a bad day for the bank. So they opt for the third choice which is to delay the inevitable. They make these poor businesses wait for sometimes years before they will begrudgingly settle for somewhere shy of the full amount. Sometimes companies just give up, and sometimes they take the money and sign the NDAs. Either way, that’s a much better outcome than letting something get litigated. So yes, those poor companies are getting the run around, and we don’t get to hear about it because at the end of the day they are all signing NDAs.

So, if you run a company, be prepared for the worst when it comes to how the bank is going to treat you if someone steals your money. There don’t appear to be any safeguards other than individual contracts you might be able to get your bank to sign and agree to. However, if anyone happens to work for a bank, and can guarantee that money held there will be treated just like physical cash (and reimbursed just like if it is stolen out of the vault), I’m sure companies would flock to you - I know a lot of small businesses that would like to know that their money is safe, and right now, it just isn’t with TD Bank and their ilk. In the meantime, I sort of hope some lawyer is salivating at the prospect of a class action suit.

Wait, Google - I Thought You Were Evil!

Tuesday, January 12th, 2010

Thanks to Jeremiah for sending these over. News is fast hitting about Chinese hacks against Adobe and Google. Very interesting stuff. But beyond the hacks themselves - in Google’s case targeting Chinese political dissidents - is this interesting news:

We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.

Wow! And I do mean wow! Google is no longer willing to take the political hit associated with their flippant stance towards China’s censorship and is actually stepping up to do the right thing! Absolutely amazing. This is the first really truly non-evil thing I have seen Google do in years. I read a really funny article the other day by Fake Steve Jobs where he called Google sociopaths - and until today I agreed with that statement. Now I think at least they know what the difference between right and wrong is, even if they’ve definitely chosen the wrong route a greater percentage of the time than not.

Of course there is all kinds of potential for spin in Google’s blog post. For instance never once did they explain how their cloud wasn’t secure and you shouldn’t upload sensitive information to something that’s not secure if you care about that kind of thing. But alas, I’d never expect that either. Convenience will win that war over security either way. But it’s exciting news, and I’m interested to hear what the fallout of this one is.

Happy 900 and RSnakes on a Plane!

Monday, October 19th, 2009

I realized after I posted the last post that ha.ckers.org has finally reached the 900 blog post mark. I honestly didn’t think we’d make it. After how many hornets’ nests we’ve stirred up over the last 5 years that this version of this site has been online, it’s kind of amazing that the site is still going strong. So I decided to do a bit of a fun post. If you are lacking a sense of humor, please move on now. We’ll forgive you. Now, in reference to a recent Twitter post about yours truly:

@shawnmoyer What no @rsnake’s on a plane joke?

Speaking of RSnakes on a plane - I was taking a trans-Atlantic flight and I was bored - as an RSnake will tend to be after 2 solid hours of a classic but bad Meg Ryan movie. I realized that they had some games on the in-flight entertainment. Ahh, something to play, this should be amusing. Well, if the games were good, maybe I would have been more interested, but Blackjack sounded good enough for kicks. So I started playing. You start off with $100. Well, after me quickly losing a few hands, I decide that playing like a normal user is getting me nowhere. Let’s try some different tactics. How about betting $100 and then folding? Ah… I end up with a negative integer, somehow. Now what if I bet a huge negative number and fold again - like -200? Ah, I get an even bigger negative integer.

What happens if I keep doubling my bet? Hmmm… this negative integer thing is getting huge. Oops! Blackjack - huge positive payout: time and a half larger than my bet even! Alas, somewhere around 1,000,000 is when the in flight entertainment crashed on me - and it turns out that clicking the button thousands of times to change your increment of betting from -50,000 to +50,000 in $5 increments is a really crappy way to make a flight go faster. But before all that, here’s the picture I took:

How many things were wrong here? Input validation errors, logic flaws, and negative integers used for currency… The worst part was I couldn’t even bet someone a free drink that I could get a higher score than them because they offered free drinks in-flight. Alas! Anyway, this story was in case, like Mortman, you were wondering what it’s like to fly with RSnakes on a plane… Moral of the story - stop showing old Meg Ryan movies on airplanes.