I was asked to take a look at ThreatSTOP the other day. Although it’s not very clear from the website after signing up I found out the basics. It’s essentially a lot like OpenDNS. In fact, it’s so much like OpenDNS that I actually confused id when I said what it was because he thought that’s what I was talking about. It’s not exactly like OpenDNS - there are a few differences.

First the similarities. They both rely on DNS to protect consumers (not websites) from contacting “bad” sites. They both require that you use their sites to perform the lookups on your behalf. They also share some of the same negatives - bad guys who use IP addresses are unaffected by this mitigation. It’s always reactionary - meaning it won’t block you from going there until it knows it’s bad. And if you’re paranoid, don’t forget that they both get to see every site you intend to contact.

Now for the differences. It appears that OpenDNS has quite a bit of added customization that you can put in front of it - allowing customized blocklists. OpenDNS also uses a block page, which theoretically could see the actual URLs you are going to (since it takes over the DNS for them - rather than simply blocking the request completely). Lastly, and the most import difference between the two: OpenDNS focuses on Phishing and ThreatSTOP focuses on malware infested websites.

Maybe one of the two companies should just buy the other? Not that I use this kind of stuff, but for those who do, it seems like you’d want to be protected from both threats as a consumer, not just one or the other.

Once upon a time the name of the game was buffer overflows. We spent countless hours banging on IDA Pro trying to get some debugger to give us the magical EIP as we smashed on our keyboards for hours. Life was a lot simpler back then - we banged on our own computers, trying to make them crash. We weren’t hurting anyone, and it made sense that we had a disclosure policy that matched that. Rain Forrest Puppy released an epic document called RFPolicy that was designed to solve the problem of responsible disclosure. It allowed the industry time to solve the challenges of patching, while still giving the researcher the credit for their work. The companies were forced to explain what happened when they released their patches, at which point it made sense to credit the researcher. Times have changed.

While RFPolicy is absolutely still practical and useful, even RFP admitted to me that it doesn’t cover the one area a lot of us now work in the most - web server vulns. Unlike hacking your own computer, when you hack a website it’s got all sorts of implications. But here’s the mostly likely worst cases: the owner may do nothing, they may fix it and not tell anyone, or they may decide it’s illegal for you to be finding the vulns and try to prosecute you. None of which are any good for the poor researcher looking to help the website and/or possibly trying to increase their own name brand in doing so.

Along comes RSPolicy (obviously incomplete). In the same vein as RFPolicy I wanted to create something that solved the unique problems that web researchers face, which is that they want either a) to be recognized b) to get the hole fixed or c) both. In any case, they still fear the worst cases as mentioned above. RSPolicy was both a tool and a policy designed to set timeframes within which exploits should reasonably, in a worst case, be fixed. Additionally, I was going to build a tool (essentially an anonymous one-directional webmail) to prevent the companies from knowing who was reporting the vuln as to prevent prosecution in the worst case.

The goal was to get companies to agree to the RSPolicy, and throw up a page, explaining at a high level who found the hole, what it was, and potentially dates that it was found and closed. It all seemed like a lofty goal. Now I needed to get a few big companies to agree to timeframes. Here’s where it got ugly.

In order to protect the companies I picked I’m not going to use their names here, but trust me, you’ve heard of the companies. I picked them because they were huge, and they have these problems all the time. That means that they aren’t quick on their feet, which is perfect since I was really looking for a worst case anyway. Alas, one of the companies was unwilling to put limits on anything - fearing reprisal or even lawsuits from their customers. Another company felt the impact of this would be pretty massive to their ability to be able to fix flaws (in a good way) but never bought off on verbiage and also never put a line in the sand. Then I started talking to people in the industry.

I spoke with RFP, of course, and I didn’t get the feeling he felt it was providing enough of a mechanism. I spoke with a few others who felt that people wouldn’t adopt the tool portion (which I don’t care about but it’s a good point). And when it came down to it the major beef I heard was that it actually wasn’t a policy, so much as a moving line in the sand that was ill defined. I agree. And henceforth I have given up on the project. While a noble goal, I think I’m just exhausted by the concept. The companies have all completely dropped the ball at this point, despite the fact all three have had vulnerabilities found in their sites within the last month that I am personally aware of. So despite the ball dropping the problem hasn’t gone away.

I’m not looking for the community to pick up where I left off - that’s not my goal. My goal at this point is just to let everyone know that perhaps there is an alternative out there, and there is no reason you cannot make up your own policy at any time that makes sense for whatever application you need it for. I chose RSPolicy because I thought it fit a need. Perhaps it will for some, but I’m not going to build the tool, host it, or work on RSPolicy anymore, which is why it is in the state is (incomplete). The companies mentioned who read this (and they all do) all continue to have the opportunity to work with the community however they see fit - I’m just not going to facilitate.

Update: Apparently this is super old, but no one noticed. I guess not that many people use that service because it’s been around since Feb. Which also means some of these may have been pointing to us at that time - so maybe Dean isn’t as inept as I initially thought he was - except for the whole thinking we are spreading destruction without warning people ahead of time. Uhm, ya.

Here we go again. People who have been reading this blog for a while will remember that we have been told we were hacking websites by hosting JavaScript and we have been marked as a phishing site as well. Well, as Michael pointed out, McAfee has marked ha.ckers.org as a site that attempts to exploit you. Way to go guys, very nice indeed.

So let’s dissect what I think happened here. At some point someone looked at one of the examples and said, “Wow this site is bad.” because they are clueless and didn’t bother to even look at the rest of the site. A gentleman by the name of “mr.anderson” then put up a stunning review of the site:

Exploit server

Wow… amazingly thorough review! I wish they would at least put which page they thought was owning them, that would have been amusing to make fun of him at least. But alas, no such luck. Then the big gun arrived. His name is dean and he has been marked as a “experienced reviewer”. Thank god, I’m saved, right? Someone who knows what they’re doing at least?

What mr.anderson said… According to Exploit Prevention Labs’ LinkScanner, this site contains malicious code. The IP address of this domain is 69.12.144.65 and it is shared by seven other domains. These sites are listed below:

advicegalaxy.com
barbarycoastfilms.com
fthe.net
mydickisbiggerthanyours.com
s-alchemy.com
secureseo.com
seodymanics.com

And then just to make sure he’s gotten his point across dean writes:

I forgot to add in my previous review that the other sites listed also contain exploits.

Wow. Just. Wow. Let’s actually take a look at this great find here that dean, our experienced reviewer came up with. Let’s look at advicegalaxy.com:

Name: advicegalaxy.com
Address: 8.15.231.1

Uhm… doesn’t appear to be on 69.12.144.65 to me and it looks like some domain squatter. But maybe that’s just an anomaly. Let’s look at another one:

Name: barbarycoastfilms.com
Address: 69.12.144.101

At least this one is on the right subnet, but still, wrong IP. And it appears to be a movie review site. Alas, not the malware spewing site I had hoped to find.

Name: fthe.net
Address: 69.12.144.99

Again! Close! But alas, wrong IP and even still, it’s a site that is supposed to be funny (we do try, but alas, sometimes we just fail miserably). Hardly the browser exploit factory.

Name: mydickisbiggerthanyours.com
Address: 69.12.144.101

Yes, id sure does have a good sense of humor, doesn’t he? Same deal as fthe.net.

Name: s-alchemy.com
Address: 69.12.144.65

There we go! Finally a match with the IP address that dean listed. Let’s go check it out. Wait, nothing there? How is it going to spread malware when it’s not even alive? Strange….

Name: secureseo.com
Address: 69.12.144.99

Okay, now we’re getting somewhere. It’s at least talking about browsers. But wait, it’s only got a few posts and alas one of them is about helping browser companies detect blackhat SEO tactics. Weird. There has GOT to be malware here! Dean said so! And that man is experienced!

Name: seodymanics.com
Address: 69.25.212.153

Whoah, not even close to the right IP range, and also looks like domain squatting. Alas, nothing to do with us. So now let’s look at ha.ckers.org since that appears to be the offending site.

Name: ckers.org
Address: 69.12.144.99

But wait! Dean clearly said ha.ckers.org was living on .65, not on .99! Maybe they have the wrong site? Now I’m just confused! Just because you use handy dandy outdated IP to hostname lookup and correlation tools doesn’t make you experienced. In fact, it makes you lazy and wrong it turns out. However, let’s get back to the matter at hand. Apparently Exploit Prevention Labs’ LinkScanner thinks I’m a bad bad man. So I go ahead and run it against every URL on ha.ckers.org I think could possibly be scaring it. Alas, nothing. Everything I can think to test comes up as thumbs up, as nice as rainbows and lollipops.

Okay, enough sarcasm. Herein lies some serious problems. How one site can maintain the reputation of other sites in such a way obviously leads to all sorts of false positives and false negatives. Even if you think this site is bad, without contacting me, or explaining what exactly is wrong with the site, how can I even fix the problem to get it up to snuff?

Now we are relying on the reputation of someone named, “dean” and “mr.anderson” to make judgment calls, when it’s clear the more experienced of the two doesn’t have a clue about the site he is reviewing or the other sites (all of the sites listed have now been reviewed as bad by dean including s-alchemy which is not even online and hasn’t been since our server crash months ago). Great job guys. I hope someone at McAfee is reading this and fixes it. Also, if anyone has a copy of Exploit Prevention Labs’ LinkScanner Pro, I’d appreciate a heads up as to what it found on ha.ckers.org that it thinks is bad.

Until we get to the bottom of this, maybe you should take McAfee’s word for it and steer clear of this site and the .65 IP address - they wouldn’t mark this site bad if it weren’t. If I can’t figure out how we’re exploiting you, you should be afraid - very afraid!

This is a post I’ve been meaning to make for several years now, and I just now got around to doing it. Netscape is one of the few browsers out there that’s old enough to pre-date most of the security people who hack on browsers. It’s got a long trying history, with lots of problems and lots of successes and in a lot of ways it was one of the most influential browsers out there. I owe a lot to my understanding of the web to Netscape in the early days. There’s a lot to be said for the history. But we aren’t living in the past. Let’s talk about now.

Netscape’s new model is not as the role of a browser company, but more as a wrapper around IE and Firefox. Using versions of Firefox and IE, Netscape wraps them in certain ways depending on the user, to give the maximum browsing experience. Netscape has come a long way in terms of installers too, and their bookmarklets are very cool. However, there is a fundamental flaw in their design - they aren’t current.

Because they do not update as quickly as the other browser manufacturers that they wrap they are always behind the times in terms of vulnerabilities. That means any user who uses Netscape is vulnerable to old Firefox vulnerabilities for months longer than they would be if they used Mozilla. I haven’t seen a shift in that mentality in the nearly four years I’ve been meaning to write this and I don’t see it changing any time soon. If you are using Netscape you are wildly behind the security patching process. I’d love to see Netscape fix this and start updating in near-real-time along side their rivals who they wrap. I don’t see them as a serious competitor to Mozilla or IE, but still. I’d rather them not disappear completely from the planet - if only for nostalgia.

A la Caezar’s Challenge, I wanted to create my own such challenge for the people who are able to attend Blackhat/DefCon and those who are unable alike. However, unlike Caezar’s challenge, this isn’t so much a better humanity type challenge - this is just a game for people looking to solve hard problems. The goal? Find the clues, solve the puzzle and win a ha.ckers/sla.ckers branded tee-shirt. If you aren’t coming to the con, no worries, we’ll ship you one. Here’s the ha.ckers.org challenge.

I must warn you - if you don’t know HTTP inside and out, there’s a good chance you won’t get past the first clue. It’s tough, very tough. I don’t expect anyone to solve it, although it can be solved in under ten minutes if you know what you’re doing. The rules are on the challenge. Good luck and see you in Vegas if you are coming!

Update: I’m going to cap it at 10 people. I’ll announce a list of winners that want their names to be mentioned along with how to solve the challenge once the answers come rolling in.

Update 2: We have our winners! In order of response :

WhiteAcid

Billy Rios

Shawn Lauriat

Tyler Reguly

Chris Soghoian

Ryan Platt

Wesley McGraw

Sid Stamm

Georgie

The spoiler is located here if you just want to know how it happened. Congrats to the winners. We had all of them in within just a few hours! Amazing! That definitely says something about the readership! This wasn’t an easy test. Maybe the next one will be harder.

Wow, 24 hours in a car… I made it to Texas safe and sound. There were a few interesting things that happened that are strangely enough interesting to security. First the actual packing. I hired a company to do the packing and storage of my stuff until I’m ready to bring it out. They wouldn’t take my guns or alcohol or anything in liquid so I had to drive. Annoying, but manageable. Anyway, the packing guys did an amazing job. They packed up my entire place and got it into the truck in 6 hours, and I have a lot of annoying stuff to pack. They had four guys working on it, but I realized that even if I had all the right packing stuff, there’s no way I could have done what they had done in 48 or more hours, let alone 24 man hours.

It’s not because I’m lacking the skill, or the strength or even in the interest. In fact, I’m more interested than anyone. The moving company has no interest in my stuff whatsoever. Granted, they don’t want it broken, because they don’t want to get sued, but short of that, they couldn’t care less about any of the individual items in my apartment. So for them to move my stuff is an emotionless event for them. For me, I would have take every individual item, inspected it, thought about what it meant to me, where I bought it, what condition it is, where I want it to end up in the new place, and sorted it accordingly. All without really thinking about it, but each item would have taken me 2-10 times as long to pack depending on what it was.

The moral of the story? I think the same is true when you are talking about assessments. I remember back when I was a lowly programmer and we did code reviews. The person coding it would spend days or weeks programming something and we would tear it apart in a few minutes. They were lacking the distance to know better. They were thinking about the classes and sub classes and data structures. No one on earth knew the code better than they did, yet they lacked the distance to be able to assess it quickly. Since we didn’t care we could to so efficiently. It’s not that they were lacking the skill, far from it. They were lacking the self distance. Obviously, sometimes people are purely lacking the skill (like how to lift a box into a truck without hurting yourself) and that would make the results even more dramatic.

The second interesting part of the story was when I got pulled over. The border patrol was pulling every one over near the border between Texas and Mexico. I thought at this point the deal was over. For sure they were going to arrest me. I was bringing cases of alcohol, firearms, hacking stuff, liquids that could easily make some sort of chemical nightmare (cleaning supplies) not to mention the various foods that I’m sure you’re probably not allowed to take across state lines. I was prepared to turn myself in for a lenient conviction. Alas, they asked me only one question. Here is the sum total of that conversation:

Officer: “Goodmorning.” RSnake: “Goodmorning.” Officer: “Are you a citizen?” RSnake: “Uh, yes?” Officer: “Have a good day.” RSnake: “You too!”

So it occurred to me as I was pulling away from the checkpoint, that is a pretty damned easy test for me to pass, and I wasn’t even good in school or anything. How many thousands of dollars a day does it cost to run that thing and what exactly does it stop? I could have had 5 mexican guys and an Al Queda member under the boxes in the back. Maybe they were scanning my truck with x-rays looking for human passengers, or using geiger counters looking for radioactive materials who knows? Anyway, it was worth a laugh. It would have been hard to fail that test, unless I accidentally blurted out, “Si!”

For those of you who don’t know him, Sid, or WhiteAcid has been a frequent poster to the boards and has contributed several tools to the webappsec space, including the POST forwarder tool and the community cookie logger. Recently he found a vulnerability in BeThere’s (his ISP) customer routers, allowing compromise of a lot of people’s home networks. Yes, that’s bad. WhiteAcid’s full disclosure was actually posted here. There’s also a news article at the Register about it.

This was an interesting case from a full disclosure perspective. WhiteAcid was able to demonstrate the issue, and informed the public, to get his ISP off their butts to fix the issue. Granted, it’s not a way to make friends, but their reaction was interesting. First came a cease and desist, then they booted him off their network. Basically, they threatened legal action against him. Here’s a snippet of an email to me from him about this (edited slightly for read-ability):

As for why… Finding the flaw was sort of accidental and once I had it I had to release it. I’ve always thought Full disclosure was a good way to do things, the best way to get companies off their lazy behinds and in gear, that’s why I posted everything publicly. I don’t regret any of it, in fact, if anything I only regret censoring at my ISPs request.

I know a lot of people have said I shouldn’t have released the passwords, that that was pointless. But I felt I should give out all the information, bad guys can get the password easily anyway. Besides, had I not released the password, virus (a friend of mine) may never had bothered writing the perl script (which he commented to the blog) which would fix the flaw.

This was interesting because their reaction was not to immediately alert their customer base of the flaw, but rather to kick WhiteAcid off their network. I’ve seen this sort of behavior more times that I can count. Companies feel that by putting the crook behind bars their unlocked door no longer matters and the bank is now secure. Not only that they spend countless hours in legal fees, PR headaches, dealing with authorities, etc… and none of it makes them any more secure.

In this case, especially given their reaction, I would doubt that many researchers will release anything about their state of security - not to say they will be more secure - far from it. All they did was make themselves a target. Would I stay with their ISP given this information? Doubtful, since they are more interested in their public image than customer security. Clearly, they have a lot to learn about damage control.

I had a meeting last week with one of my former employees about the sheer exodus of people who were leaving the company. Without solid evidence of it that we could relay in a public scenario (without disclosing internal dirty laundry), we had a few key indicators, that anyone could see. Namely social networking sites that the company employees belonged to were a buzz. It got me thinking about ways in which you could actually predict future market conditions based on key information derived from one of the most powerful and insecure corporate assets - the employees themselves.

So I threw up a short white paper discussing how to mine out certain elements that can help investors know what may or may not show future market fluctuations. This was not at all meant to be a thorough list of recon methods, however, it was designed to get people thinking about and talking about the vast amount of information that is leaked openly by the companies in question. Hopefully it makes everything at least stop and think a little.

Ever since Microsoft posted a rather well-thought out comment on sla.ckers.org asking that people use responsible disclosure methods and talk directly with Microsoft, there has been a bit of a debate raging about disclosure compensation. It seems fairly split that people feel that they should or should not be allowed to request compensation or some sort of monetary remuneration for finding exploits in a website and disclosing it responsibly.

Half seems split feeling that if it’s not the company who pays it will be some other group of malicious people who will pay for it. This flies in the face with the concept of responsible disclosure, as the company would have to get close or beat the asking price of the malicious groups who would want the exploit in the first place, making it economically difficult for companies to justify buying them (not that they would, but even if they wanted to). So it is a case of free market economy or being the nice guy? Anyway, it’s an interesting read.

Come one, come all, how much do you want for this 2.5mbit hacked machine? We all know it’s out there - the underground market for hacked machines. There’s an interesting thread brewing on sla.ckers.org about this topic - one that I find kinda disturbing. Yes, if you ever wondered if those stories everyone told about a black market for hacked machines was true, rest assured, it is.

The prices are interesting, especially given the number of vulnerable services out there. Also, the fact that eGold is the currency of choice confirms what I’ve been told as well. That doesn’t really surprise me, there’s very few good way to transfer money safely internationally (and mostly anonymously). Interesting and scary read, if you aren’t already familiar with this stuff.