Okay, I’m just totally in love with this post by Jaimie Sirovich over at SEO Egghead.  He exposed a function that I’ve been wanting for a good long while.  Some way to do IP to virtual host lookup.  His solution, similar to my Cname lookup, is to use a search engine.  I wasn’t aware of this flag in MSN, but apparently if you query it for IP addresses it will do exactly that.  Well, nearly exactly that.  I also points out any domains that are 301 redirecting or meta refreshing to your site.  Strange!  But whatever the case, it gets you 90% of the way there with not many false positives.  Those false positives can be identified and removed by simply doing another lookup on those domains and seeing if they match the IP.  Pretty trick!

In this way you can accurately identify SEO spammers, and virtual hosts.  This is particularly useful for penetration testing because often since they are on the machine the hardened host is the main one.  The softer hosts that reside on the same machine can be compromised and therefor giving you access to the same web application (and probably even the same apache process).  Very scary stuff for anyone doing lots of hosting on single IPs.  Thanks, for the post, Jaimie!

By way of SEOEgghead I ran accross Matt Cutt’s google videos.  I’m really surprised I didn’t see this before so thanks, Jaimie!  At first I thought it would be a lot of beating around the bush about best ways to make your site rank using better HTML or some other nonesense, but instead he beat around the bush on a number of other issues.  I’m actually really glad I watched the video talking about a guy who set up thousands of domains all linking to the same JavaScript.  Talk about an blackhat SEO newbie mistake!  But Matt Cutts also mentioned a lot of domains on a single IP address.

Wouldn’t it be great to have a mapping of virtually the entire internet, where you could see every hostname -> IP address pairing?  Granted, it would have false positives like virtual hosting services, as he says, but come on!  Talk about predictive!  Sure, a few dozen domains may be possible.  Especially for hosting providers, but if I have hundreds of domains that look even vaguely shady, that’s a huge indicator.  Even if they aren’t the same IP, but within a class C network, that could still be highly predictive.  IP addresses have come back to haunt us!  Everything has to be routable, and if Google has to know where you are to index you, and they have any interest in detecting spamming, of course they’ll do a mapping like this.

I had always wanted to build something like this myself, but to build a spider like that would take more horsepower than I’ve got in my rack at home by far, and a database with some serious space.  We’re talking about millions of hostnames to IP addresses.  It gets harder because that has to stay up to date.  Six month old data is practically worthless when you are talking about spamming domains which may only stay up for a week or less in some cases.

Then I suddenly remembered a conversation I had a few weeks back with one of my readers, who shall remain nameless for the time being.  He asked me a simple question, “How do you find all the cnames on a host?”  Cname (or subdomain) spam has it’s ups and downs in the SEO world depending on the day of the week it seems like and depending on which search engine you’re talking about, but it’s a pain to correlate it all together, no matter how you slice it.  It’s also useful for auditing websites for vulnerabilities since cnames almost always reside on the same host, or at minimum use the same backend.  I thought for a few seconds and I came up with a solution.  Use the search engine itself!  Let’s say I want to find all the cnames on Google.  Let’s start with a simple query:

site:google.com -www

That gives us a list of links back, none of which contain “www”.  So now I see things like sketchup.google.com and finance.google.com and eval.google.com.  So let’s make a note of those and query again:

site:google.com -www -eval -sketchup -finance

And then you take what is left from that (which may include things like sub directories which you can remove as well) and remove them:

site:google.com -www -eval -sketchup -finance -google.com/answers -google.com/trends -browsersync -desktop -toolbar -earth -picasa -toolbarqueries

And so on…  Until there is nothing left to search.  In this way, you can get all of the cnames of a server, with relatively few queries.  Of course, Google is a huge site, with lots of cnames, so this technique is pretty tedious with them, but with smaller sites you can go through this pretty quickly.  This still won’t help you do an IP address to domain name lookup, like what Google has access to, but it does help you do your own investigation of cname based spam.  This technique came in handy finding some of the other domains on one spammer site, that you may have remembered from one of my previous posts.

Finding cnames can help isolate spammers, but wouldn’t it be nice if we could somehow get access to all the IP address to hostname maps?  There’s got to be a way somehow.  Hmmm…  I’ll have to think about that one.

I ran across this security link a few days ago and I thought it would be worth sharing with my readers. It’s a way to steganographically encode spam with text. This is actually one of the more ingenious ways that I’ve seen to encode messages. I mean, we all get insane amounts of spam, so what better way to send information than by spam. One of the key ways to tell that there is a covert channel is by looking for anomalous traffic, but spam is so common and it is so common that it comes from everywhere that it is very difficult to detect.

That said, there are a few obvious problems with this. The first being you have to either set up an agreement with the other party to know which messages are spam, or that party has to run all of their mail through the steganographic filter. Using a resource on the web, is the same thing as sending it plaintext (unless you use the SSL connection). But now you are risking that the website itself isn’t under federal wiretap or something else. Also, you have to worry about the spam that you are expecting actually making it through your spam filters. So unless you have an account that simply sits out in the middle of the DMZ with no protection there is a high liklihood of loosing the spam entirely.

You also cannot use the spammimic tool as an API (as far as I can tell) meaning you have to send all your traffic over HTTP/HTTPS to that website which sets off huge alarms for anyone who was eavesdropping. And last but not least, as with any steganographic system, once you tell people that it exists, it is almost completely useless. That’s the problem with staganography, you can never tell anyone about the best ways to hide data, or it’s a broken system.

Still, interesting idea though!

I ran across an interesting link to a page that tests your browser for popups. It requires that you run Java. I was actually a little bummed that not a single popup went through on my browser. But then again, I run QuickJava (similar in principle to Noscript, but better for my needs) so it’s not that big of a surprise.

But it got me thinking.  This really only tests conventional popups.  It certainly doesn’t test for things like my Most Evil Popup Ever(TM). Frankly, I wouldn’t expect it to, because it isn’t a normal popup, but as technology evolves, I think less and less conventional means for delivery is going to take over.  I feel like there are probably other forms of these types of popups that could work better, but I haven’t put any time into thinking through it, so it’s probably best to leave it at this.  Anyway, cute link if you aren’t sure how vulnerable you are to popup annoyances.

id just sent me a link to Dark Reading talking about the controversial prospect of selling exploit code for cash.  It has been something I’ve talked about in the past, and actually I was alerted to it by OptikLenz as well.  The website is called Zero Day Initiative (it has been live for about a year now).  The black market is buying “weaponized” exploits that require little to no skill for up to 2-5 times the highest asking prices of these websites.

Call me crazy, but this is a huge market place now.  Considering that Phishing is a billion dollar industry, who cares if they have to spend $50k for a remote windows exploit to help them host phishing sites?  Or $10k for a new spamming technique.  It’s a small price to pay when the ultimate gain could be tremendous for the assailant.

And do you think 3Com or Tippingpoint are doing this for the good of humanity?  No, they are reselling it via their contracts with their customers to make more money off of the exploit code.  The economics of hacking are beginning to move into the free market economy and away from the socialist free-for-all of the last decade.

I ran across an interesting email the other day on Full Disclosure, from a Stuart Udall claiming to have a near perfect solution to spam. Click here to read the anti-spam tactics. Granted, there are some serious issues with this technique as Stuart points out. The most obvious one is that because it is so good at finding them it also happens to find a lot of false positives. To obviate this you need a whitelist of your own contacts.

But would that work for me? Not that I’m your typical user, but it’s still a datapoint. I get literally hundreds of peices of email a day, from all over the place. Some are mailing lists, some are direct marketers for things I actually want to recieve, some are questions from the people who read this board, some are work related, and lastly, some a are just plain old spam. Spam only makes up a small minority of my email. The vast majority is people I’ve never met and probably never even talked to before - let alone added to my addressbook.

The tools that hook into your webserver to automatically seem like a good idea, but do I really want to give up information to users I have never met before - like my IP address (assuming I don’t use a proxy or something like Tor) and my browser type, etc…? It’s an interesting problem dictated in large part to the turing halting problem (as are many security issues it turns out).

Several years ago I was in a meeting with a bunch of execs from a number of high level security companies, talking about ways to improve Internet security globally. It was a bit of a big wig brainstorming session. Most of the comments I heard were innane things like “We need IPv6 globally! That would get rid of NAT!” and “An IPS in every home would solve everything.” As we went around the table I heard more and more ill thought through ideas that probably would do only more harm than good for internet security. Then came my turn.

I looked at these execs who were all more than 10-15 years older than I, with presumably the same level business accumen, and I told them, “Accountability. If you had accountability for every transaction, every packet on the entire internet, to trace back to the person typing the commands, internet crime would nearly halt.” Today, I still believe that to be true, however the cost associated would be enormous - not to mention the backlash. However, let’s step through it for academia’s benefit:

• The reason why blackhat SEO can exist is because Google cannot programmatically tell who originated every last byte.
• The reason why spam can show up in my inbox is because I can’t go and readily beat the person who sent it to me with a lead pipe.
• The reason why the internet can transmit cross site scripting attacks is because the website owners can’t effectively parse threir logs to find out who sent the traffic in the first place.

Let’s assume the data that the Internet had on you were 100% flawless and real time for a second. Think about it. If you knew that every email you sent, and every internet site you went to had every peice of relevant and up to date personal information about you and your whereabouts, would you do anything illegal on the web - even as a bad guy? The problem is that the Internet was built with anonymity in mind. It was designed to hide the user behind IP addresses, and pseudonyms.

The reason why security will always be a problem on the net is because it is intentionally designed to be a vast dumping ground for all activity, in a highly random but also very organized manner, so that anyone who surfs it is relatively safe and anonymous. Of course there are exceptions, and there are valid prosecutions, but that proves my point. When accountability for actions is held, the users are forced to stop their malicious activities. There are no further crimes committed (at least in that way) by that person because guess what? Prison sucks - especially international prisons.

I’m certainly not advocating the goverment know everything about every user who uses the Information Super Highway - no indeed. I’m actually far more of a privacy advocate if anything. However, the systems that are placed on top of applications these days (like DRM and spyware) are circumventing the anonymous nature of the Internet by broadcasting as much information as possible to the originator - thereby adding accountability. Looking into the faces of the men around me, I truely believe the point was lost on them. Not that there is anything any of them could to to create accountability on the Internet anyway, so back to IPSs we go. With that, I think the issue is not about accountability afterall, it’s about risk mitigation. Bruce Schnier is a smart man. If you haven’t already read Secret and Lies, and you work in the security world, go buy it - it’s non technical, but worth the read.

In Bruce’s first book Applied Cryptography, he basically says, “All security can be solved by math”. In his second book, Secrets and Lies, he basically says, “Wow, hahah, remember that last book I wrote about the math stuff? I was totally wrong about that one, sorry, it’s all about risk mitigation.” I have to respect that - he really grew up a lot between those two books. In any case, I think risk mitigation does not have to come at the cost of privacy even though it would help a lot. So no, I don’t think accountability is the key to security, even though I believe it would solve the issues.

The backlash, as I said would bring us full circle back to an insecure version. A secured version of the internet may be useful for children and people who have no need or desire for privacy. The rest of us will suffer with security issues.

A few weeks ago I saw three cops on the same stretch of road that I normally see none. They were all hiding in their typical speed trap stance, waiting for the next unlikely victim to hit the gas. I had to think for a second why they would suddenly be patrolling so heavily, and then it occured to me - yup, it’s the end of the month and the cops have to make their quotas. Just like lots of systems, even the cops have phases, and those phases can be calculated. For instance there is less likelihood that a cop will be patrolling at noon than at midnight. It got me thinking about computer security.

When May 6th hit (6/6/6) there was a lot of speculation that there would be some sort of attack against the global network by a band of hell bent hackers. So, everyone went on full alert, and ever security operations person was on call. What happened? A fat lot of nothing. Maybe there were a few isolated incidents, but no more than normal. If you were an attacker you’d have to be retarded to attack when the target is being as vigilant as possible.

So there I was, narrowly avoiding my third speeding ticket in a row that day, and I got to thinking, there really is no difference between cops and security operations personelle. SOC staff work normal hours (9-5 in Silicon Valley) and you might have one or two working 24/7 on certain ultra mission critical systems, but generally these are also your NOC staff that work the graveyard shifts and are less likely to be aware of the issues at hand to make an informed decision.

So when is the best time to attack? Logic would tell you that in the evenings of major holidays are probably the most likely time, when the fewest people are around or even within cell phone range. People are more likely to be on vacation during the summer. There is next to no one in the offices between 9PM and 5AM. There are even fewer during those times on the weekends. If you are attacking a highly Christian organization, Sunday mornings are a prime time. An Islamic organization should be targeted during Friday prayers, and so on.

The statistical liklihood of being detected goes down sigificantly if you take these factors into account. Of course, automation (like IPS devices) are paving the way to making this sort of thing far less likely. But this doesn’t just apply to attacks per se. What about search engine spamming? When Matt Cutts from Google when on vacation the spammers did a countdown of how long they had until he returned. What about email spam? It is well known that spamming Monday nights is the most effective time to spam, so that Tuesday morning, the user’s inbox’s first email will be a nice juicy spam.

Of course you have to take the timezone of the target into account, if it is critical to deliver the payload at a particular time of day, but in the case of police officers, it can be on monthly swings. In the case of security operations, it can be a yearly swings like the Christmas holidays or in the case of teachers you have summer vacations. These subtle variences can dramatically decrease your likelihood of being caught.

But what if your goal isn’t to be caught, but rather to have the maximum effect of payload delivery? Let’s go back in time to 1995-1996. There was a small group of people that built a website called HP Bug of the week. Every Friday night they would release a new buffer overflow in HP/UX. They did it for weeks on end, which caused the security operations and development and QA staff for HP stay the entire weekend trying to verify the vulnerabilities, fix, QA and release patches. The same is true with Viruses. There are definite times of day that are more likely to have damaging effects on propogation (start early in the morning, Japan time and watch it follow the globe as more and more computers turn on as it becomes daytime around the globe).

It’s an interesting anomaly of human existance, that follows itself into the online world.

Somehow I ended up on the dumb side of a search engine spammer. I have no idea why anyone would think this would be a good site to rip off - you have to be a serious newbie to think that’s a good idea. Anyway, there I was, getting pingbacks and referring URLs and people telling me that my site was being ripped off by some dumbass. The only vaguely amusing side of this is that other SEO blogs have been hit by this recently too.

I’ve got to think this is just some sort of dumb joke, but that would be way too smart. No, this is just stupidity. So anyway, it was fairly trivial to figure out who was ripping my RSS feed. So it took me a few seconds to modify my document management system to do some IP delivery to the moron, and a few seconds of searching on the web for some nice prescription drug spam and poof! His site now looks like a bad spam doorway page and will continue to do so even more so with every post he indexes.

Then I do a little research on the idiot himself and I find out all his infoz:

– removed –

Why on earth would you hand pick this site, out of every site on the web, and think for a second I wouldn’t fuck with you? Way to go, moron. I’m not a spammer hater, but come on. Get a clue!

He also registered all his domains with Godaddy, and this is totally against their TOS - (copyright infringement). He’s lucky I don’t get all his sites nuked, dumbass.

A few years back I was having a conversation with Ambient Empire (aempirei) about ways to detect interesting information through natural text. He started by creating a tool to measure relative intelligence by word length and density, etc… It was an amusing tool but that’s about it. Later I asked him to write a tool to detect when someone is mad at me, so I can respond quicker (it was intended for disgruntled girlfriends) - still waiting on that one. But then aempirei came up with a way to do spam recognition by clustering it to it’s relative signatures.

It’s an interesting theory, that has a lot of practical worth. Humans often attempt to classify information into buckets, so this is a way to visually represent spam variants into those buckets that people find easier to digest. But if you were to take this one step further, for instance, you could classify any kind of malicious behavior and correlate that to a certain type of user or even to a particular user itself.

Several years back I was working on event correlation systems (or as Gartner likes to call it - security information management). One of the interesting things we could do is detect two desparit events like a change to a file on a system via a Tripwire or HIDS, and tie that into a normal router event. The Tripwire event might be able to tell you who changed the file (probably the administrator account and they probably cleaned up the files to remove their IP address from any logs so that’s not particularly helpful) but the router can tell you that an IP address touched it at the exact second that the file changed. Thereby you get a lot more value out of both of those tools than you would have with either in a stand alone environment.

In the same way this sort of spam clustering could have all sorts of value. Think about an environment where you have a clustering technology that attempts to classify events into buckets for eventual digestion from an event correlation tool. You could get a lot more value out of the information because it would be directly relevant - “This XSS attack looks a lot like this other connection that we’ve never seen before - although we have no signature for it”. Interesting concept anyway. It’s more along the lines of advanced anomaly detection and it’s already being worked on, but I like the way that aempirei digests the information.