It seems everyone has been jumping on the "Facebook is evil" bandwagon lately, some of it being fair, some of it not. I thought I'd try and jump on the bandwagon too, but this time, let's lay out the facts and reflect on them and see how they are changing my outlook on Facebook and why it might be good to change yours too.
<bear with me, it's a long one, but it's a real one, and it's meant for you to read>
Facebook is a social networking site. Two words.
Social -- relating to or designed for activities in which people meet each other for
Networking -- a group or system of interconnected people or things
A place where people come together to be interconnected and share things and activities. Facebook. Exactly what it does, so why is everyone so up in the air about it, why are people complaining about it?
Privacy. Those of you that signed up for Facebook in the beginning, and are like me, take the world on the Internet with the assumption that everything that you do online can be read by anyone, you are careful what you put on Facebook. I personally live with the realization that I have an Internet stalker. A guy out there on the Internet -- for whatever reason -- follows me. Goes to every email listserver I am on, listens to every podcast I do, watches everything that I do. Now, some of you will look at that and say "Whoa, that dude is nuts!" Well, I agree.
However, having someone like that is like a check and balance in Government. It makes you realize that what you put out there on the Internet, no matter how mundane and stupid it may be, someone will jump on it like a horse and ride that sucker for all it's worth. So you really pay attention to what you put up on the Internet in the first place.
Facebook, when it started out was this concept, very different from "MySpace", where MySpace was "Everything is public". When Facebook started many people jumped on it, thinking, "Wow, some privacy!" Everything you put on Facebook could only be seen by your friends. Those you invited to be your friends, or you authorized to be your friends. Then, along the way, as Facebook started stealing ideas from Twitter, started making things more public, if you didn't change you privacy settings at each step along the way, your privacy was gone, and everything that was yours and your friends was now available to "Everyone".
Facebook's privacy policy got longer and longer, more and more confusing, until recently this article came out that compared Facebook's privacy policy length to that of the United States Constitution, the document that established and Governs our ENTIRE country, and found that the Facebook privacy policy was longer.
I started thinking about ditching my Facebook page back in November or December of last year when all of this was coming down, and it's just gotten worse and worse. Take a look at this article written by Jason Calacanis (say what you will about Calacanis, but he brings up some good points to think about, and things that you might want to read yourself).
Jason recently wrote another article about Facebook has overstepped the lines and violated the privacy and trust of it's users. Both are worth a read. He talks about how Facebook screwed Foursquare, how they screwed Twitter, how they have screwed their users by changing their privacy model three times.
All of this stems from one guy. Mark Zuckerberg. Facebook's CEO and Founder.
"Zuck" as he's known in the "Valley" (I've never met the dude.) started Facebook, or at least came up with the concept for it while he was at Harvard. Now, there is a lot of controversy about how the idea for Facebook came up, and that he stole it from other people, and this that and the other thing. I'm not here to decide that, there are lawsuits in progress, and the courts will decide that one.
Zuckerberg has apparently (allegedly) screwed over many companies, partners, etc in the setting up of Facebook. Claims are (from "they") that he wants to be the next Bill Gates, and is doing so by doing the same thing that Bill Gates allegedly did back in the 80's/90's, by "stealing" the idea for "x" from "y". (Not mentioning names, because, like I said, allegedly.)
"Good artists copy, Great artists steal" -- Pablo Picasso (Allegedly)
Personally, I don't trust the dude, and neither should you. <-- Read that.
So what does that mean for you?
If you have the realization that everything you put on the Internet, everyone can see, you are fine. However, I don't like the fact that Facebook started off with one idea about privacy, and now it's a different story.
So what am I doing personally?
My "content" that I "produce" will no longer go on Facebook. I'll point to my content on other places, (my pictures, my posts, my comments), however, I won't put things on Facebook anymore. This will give me a metric. A metric that says "How much do you really use Facebook".
I use Facebook for a couple things. I like to put pictures up there and have people comment on them. I like to put funny sayings and what not up there, but I also like to read what people have to say and look at their pictures as well. I really use mine as a Social Network.
The people that I add on Facebook are my real-life friends. Not "Facebook friends". Not "Internet Friends". I probably receive about 10 requests to be my "Facebook friend" from people everyday. People who read my articles on the blog, people who read my articles on the Internet Storm Center.. People who just read my emails on the Snort user groups (or God knows where else) and want to be my friend. However, no, I don't add them. Unless I've met you in real life, I don't add you. In fact, I've deleted a bunch of people recently.
Facebook isn't for those people. Those people can read this blog, and they are welcome to participate with me through the comments fields. They are also welcome to follow me on Twitter. But on Facebook, I have stuff like, pictures of my daughter and other things on there that I just don't want everyone to have complete access to.
I've locked down my Facebook profile along the way as well, making my profile viewable "Only to Friends". But the trust that I've put in Facebook is lost. Have you read their privacy policy?
Here are some choice quotes:
"Access Device and Browser Information. When you access Facebook from a computer, mobile phone, or other device, we may collect information from that device about your browser type, location, and IP address, as well as the pages you visit."
I'm not tracking you when you come to my blog. I don't know who you are. I don't much care.
"If in any of these cases we receive data that we do not already have, we will “anonymize” it within 180 days, meaning we will stop associating the information with any particular user."
But they don't delete it.
"Deactivating or deleting your account. If you want to stop using your account you may deactivate it or delete it. When you deactivate an account, no user will be able to see it, but it will not be deleted. We save your profile information (connections, photos, etc.) in case you later decide to reactivate your account."
But they don't delete it.
So make sure you read the privacy page. Oh but wait there's more! There's the Statement of Rights and Responsibilities page.
My favorite is here:
"For content that is covered by intellectual property rights, like photos and videos ("IP content"), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook ("IP License"). This IP License ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it."
So.. Anything I upload to Facebook belongs to Facebook. They can use it however they want. Including photos, and videos, and what else.
What about individual Apps? Oh, there's a page for that too. Check this out. Good luck locking that down!
So, where am I putting my pictures?
I'm going to put them on my MobileMe gallery. That allows me to have public photo albums, photo albums I can mark as private, and even more, I can secure certain photo albums with a password.
My Mobile Photo gallery is here. (Pictures that I take while I am on the go.)
But otherwise all my public galleries are here.
Can you subscribe to those photo galleries? Yes, you sure can. Via the RSS button at the top. You can even subscribe to them in iPhoto if you are an iPhoto/Mac user.
If I have a special gallery that I want you to be able to see, I'll post it. But I don't want my Intellectual Property rights being turned over to Facebook just because I uploaded a photo. My pictures are mine. Free for me to do what *I* want to with them. Not Facebook.
I'm not going to put anymore photos on Facebook. Done with that. When I put new photos up in one of my galleries, I'll post a link on Facebook pointing to the gallery.
I'm not going to put any more "content" on Facebook. I'll put it here, on the blog, or I'll put it on Twitter, then I'll point to it on Facebook. Annoying as that may be for those of you that are my Facebook Friends, I ask that you respect that I do that, and play along. I feel that my real friends will still participate, and my "Facebook friends" will fall off. That's life.
Lock your stuff down people, you have no idea what you are sharing with the world. For proof, go here. Take a look at what people are saying!
Does this mean I'm getting off Facebook? No. I am just controlling what goes up there. I'm still going to participate with my friends, I'm still going to comment, and I'm still going to have fun.
Plus this alleviates my annoyance about having to "hide" and "ignore" all those stupid Applications that you people keep putting on there, wanting to share your Pirate Gold and wondering if I'll help you water your crops in Farmville.
I ask that you read what I've written above, click on those links I've put in the post, and decide for yourself.
Oh, and for God's sake. Lock your PROFILE DOWN.
Showing posts with label exploit. Show all posts
Showing posts with label exploit. Show all posts
Saturday, May 22
Saturday, March 27
Day Two: No One Even Attempts Hacking Chrome at Pwn2Own Competition
Day Two: No One Even Attempts Hacking Chrome at Pwn2Own Competition - Google Chrome - Lifehacker.
Found this interesting. I didn't make it to CanSecWest this year, but several of my friends did go to this event/competition. While I did see that every other major browser was cracked on day one, (IE8, Firefox, and Safari) Chrome didn't even get tried, apparently.
While Chrome does use the Webkit (safari) engine, Chrome starts each browser tab in a separate process which is in a 'sandbox'.
On the usability side, I've been using Chrome on the Mac since they opened up the dev channel for it, and I really like it.
Found this interesting. I didn't make it to CanSecWest this year, but several of my friends did go to this event/competition. While I did see that every other major browser was cracked on day one, (IE8, Firefox, and Safari) Chrome didn't even get tried, apparently.
While Chrome does use the Webkit (safari) engine, Chrome starts each browser tab in a separate process which is in a 'sandbox'.
On the usability side, I've been using Chrome on the Mac since they opened up the dev channel for it, and I really like it.
Wednesday, April 8
Sourcefire's Exploit Development Class
First off, if you were to go look at this class on Sourcefire’s website, it states “Exploit Development Class for Snort Rule Writers”. We need to fix this. In the words of Lurene, “This class has nothing to do with Defense. At all. Ever.” The class should be more appropriately named, “Fundamentals of Exploit Development”, or “Writing Exploits, we’re going to hurt you”
So, let’s describe this class in two words or less:
Freakin Awesome.
Beginning on day one with a lot of terminology, introduction and drinking from the firehose on Assembly and gdb, by the end of the first day, you are well versed in how to read assembly, pick it apart, and even being able to reverse simple programs at this point. Your Brain will hurt.
Day Two, more drinking from the firehose, more reversing, more assembly, more gdb, drawing stacks, and by the end of the second day, you are learning to control EIP, and doing it. Your Brain will hurt even more.
Day Three, you just sit all day and hack programs. From simple to intermediate, (you aren’t cracking Microsoft Office just yet ;), by the end of the day, you are using reverse shells and shellcode like nothing. Your Brain is now fried. Go drink beer. Seriously.
This was the best class I have ever taken in my life. Srsly.
You know those classes where you go and sit, and you could probably figure out 80% of it, and the other 20% of the class you pick up little tricks and tips on whatever you are learning? This is not one of those. If you know assembly, or have experience in reversing assembly, this is not the class for you (even though you will probably learn something). The class I took was taught by 4 of the Vulnerability Research Team members, people I am glad to call my friends.
So, my hat’s off to Lurene, Matt, Ryan, and Nigel, along with all the other members of the VRT that contributed, came out, and helped with the class. It was great, and I’d gladly take it again anytime.
The best part of the class, I thought, was during the class, on a separate projector, they fuzzed software and found some 0days. I don’t want to disclose which pieces of software were fuzzed, but let’s just say that they are pieces of software that people use everyday.
In one piece of software, over 200 crashes and bugs were caused. No word on how many were exploitable yet.
No, I will not tell you which piece of software it was either.
Saturday, February 14
A tale of my mother in laws laptop
So, yesterday, my mother in law moved into my house to stay with us for awhile. (Yes this is cool with me, it was actually my idea.. Anyway.)
She handed me her laptop, Sony Vaio (this thing is a freaking brick!), loaded with Windows XP, she always makes jokes about my network here at the house, and about how “clean” it probably is (all macs, security etc..) So I went about starting to clean it.
First, I wanted to get the antivirus updates. She had a current Antivirus client (Symantec), it was the full suite, with the firewall and everything. So I updated that, took awhile as it hasn’t been updated in awhile.
-- Sidebar --
My mother in law has been on dialup in her neighborhood where she used to live for a long time. She doesn’t log in for long, long enough to log into her AOL account and check her email and some light surfing.. (yes AOL. Seriously.)
So you can imagine, everything hasn’t been updated in a long time because of the speed of her connection, she doesn’t have the kind of time to sit there and let downloads download overnight.
-- Back to my Story --
The Antirvirus ran, asked me if I wanted to deal with the stuff in Quarantine. I looked what it was, 3 instances of “Bloodhound.Exploit” in Temp Internet files. Okay, not a big deal, they’ve been quarantined for over a year, so I just deleted them. Hopefully that’s all it finds.
So I started to download XP updates. This is really where I started to value my Macs. This machine was pre Service Pack 3, Windows XP. So you know the drill, get the updates up to date so you can download SP3, then download SP3, then install that, then update, update, update, update. I had to go to Windows Update at least 5 or 6 times. Office was actually updated, but the Windows OS updates were so far behind it took me 6 hours to get this thing updated.
Now, I know when you build a fresh Mac install you have to do the same thing. But it only takes me about 20 minutes to do it, not 6 hours.
I started telling my tale, as I was going, to my followers on Twitter. A lot of jokes were made, you know, about making the laptop a doorstop, or if I had a table with one short leg, go ahead and prop up the table with it.
Other suggestions were made like, “load Ubuntu on it, tell your mother in law it’s the new version of XP”. I thought about it, but my mother in law is just one of those kinds of people who get comfortable with her computing experience and you don’t want to upset that. She like her XP, and Microsoft Word, so I don’t want to mess with her right now, maybe she’ll get a mac on her next computer buying experience.
Anyway, it’s fully updated and working now, yes, it’s on my network, as much as I hate to admit it. (It’s the first Windows machine on my network in about 6 years.)
Hopefully now, I can keep her patched and updated.
Monday, December 22
Immaculate Collection
(Preface: I wrote this around January of 2007 and simply forgot about it. I wrote it around the time that Marty was writing these posts: here. Also when Richard was writing these posts here.)
I started playing with Sguil again recently, and for the benefit of those that don’t know, Sguil is a Snort based “NSM” system. It uses Snort and some other tools brought together in one interface to provide better analysis and results. The main factor of Sguil is that it runs something like Tcpdump, Snort, or Daemonlogger in order to dump ALL traffic to disk.
I bought my good friend Richard Bejtlich’s “The Tao of Network Security Monitoring” book earlier this year.
Richard has the theory of: “collect all packets, because without all packets the total picture isn’t seen”. In principle, I agree. I used to use this methodology heavily in my last job, and it worked quite well at the time.
While he also goes on to say that IDS “alerting” has its place, without “context” (the surrounding traffic on the network) the alert will make no sense. I don’t know if I rightly agree with that statement as a whole. Let me explain my difference in “context”.
At my company, Sourcefire, we make a product called “RNA” which stands for “Real-Time Network Awareness”. This product coupled with our IPS’s and Defense Center make an extremely powerful tool for analyzing “alert traffic”. Let me give you an example.
Simple Example:
Hacker attacks your network with an exploit against IIS servers. If any of you have ever seen something like this before in your analyst lives, you probably know that they will either 1) Prescan your network for open http ports, or 2) just automate the attack so no prescan takes place, just the attack, very quickly.
If you have plain vanilla Snort, you will get an alert for every one of these attempts. Using the “Collection” theory, we would also collect all traffic for these connections and we are able to see which attacks got through the firewall, not which ones didn’t. You can even take it this a step further and rebuild the session to see what took place (if anything). This is a lot of data. We’re talking a pcap file that is containing not only all these hundreds of potential connections, but every other connection that is taking place on the network at the same time.
Now, there is nothing wrong with that if:
A) You have the hard drive space.
B) You have the time.
- Your machines doing the sniffing can keep up.
- You have the personnel to manage all the time, data, and storage.
The problem with it is, at modern network speeds, and the speed at which a program would have to write this stuff to disk, something would give. Now I am not talking at your 500 Mbit/s speeds. I’m talking about the majority of the networks that I deal with that are >1 Gig/s. Whether it be the hard drive, memory, or whatever, but something would buffer somewhere, and more than likely you are going to drop packets. Again, I’m not saying that this is totally a bad idea, I’m just bringing up cons to the pros.
But lets look at it a different way. RNA profiles the hosts on your network, both pre-attack and during, in real-time. RNA knows which machines are running IIS (if any) and which ones aren’t. So it already knows if you will be affected by the IIS exploit attempt.
When these alerts come back to the DC (Defense Center), the DC correlates the RNA event with the Intrusion Sensor alert and the “fat rises to the top” as it were. The DC knows to say “Hey, this attack affects IIS version 5, and only version 5, on Windows...etc..” This is technology that Sourcefire has invented and patented.
So instead of you now having to analyze 100’s of alerts and 1000’s of packets, hey, I only have “these two machines” over here running IIS, and the DC told me that I need to look at these alerts first. Are the other alerts still recorded? Yes, but now I know through the correlation which machines will receive a greater IMPACT from the attack. The two IIS machines. My other Apache boxes aren’t affected at all, so who really cares.
Lets take it a step further. Say the exploit was against IIS 5.0. Well, our two machines are running IIS 6.0. (I’m inferring patch level with this example)
So do we really care? Well, we might like to know, hey, there was an attempt, that’s great, but it doesn’t affect us, we’re not vulnerable to it, lower the IMPACT, and lets move on to the next alert.
If you were collecting packets using the “Immaculate Collection” theory, you’d have to analyze all these streams to make sure that each IIS/Apache/etc.. box returned 404 and whatever else error codes.
Could we do that with Snort? Yes, of course we could. But if RNA knows our network already, then is it important to us? Or is it just informational at this point?
Take it a step further. Think about the exploits that affect browsers, Mail Clients, versions of SSH, telnet, snmp, etc.. RNA already knows these services and applications on your network. Before the attack even takes place.
Single glances allow us to look at these 1000’s of alerts, and say hey, these 2 machines are running IIS, but we’re not vulnerable to the attack. In a matter of seconds.
If you’ve ever heard Marty Roesch speak, you’ll know that it is his belief that “Humans” basically can’t make the decisions for the IDS. Why don’t we let RNA tune it directly? But that’s for a totally different post, one that Marty has covered on his blog as well.
Of course there are strong points to both sides of the discussion. Share your thoughts in the comments.
® Snort, Daemonlogger, RNA, Defense Center, and Sourcefire are all registered trademarks of Sourcefire, Inc.
Monday, November 3
Research
Okay, so MS08-067 Worm(s). I got some intel from some various listservers that I belong to about a new worm (or worms) that were starting to be seen in the wild. So I got a few url’s to play with and started poking around. Note, these are not all the url’s that I tried to get the exploit/worm from. They are not all of the same worm, and they may or not be related... BTW -- I am not a very good malware analyzer, Just an FYI.
It appears, one of the variants of this worm that I am looking at attempts to spread, not only though network vulnerabilities (08-067), but also through P2P networks like Emule.
So, I tried to get one of the files, named 6767.exe in this case. This EXE file does several things, some of which are very unclear as to the reason... as I said, I’m not a malware guy...
This exe downloads, and upon execution (again, in my particular sample, I am sure it will change), from a network perspective, on MY machine, it didn’t do anything. I have read several write ups of the 6767.exe variant, and I saw what it was “supposed” to do. But in my particular example, it didn’t do anything. I don’t know if it some kind of virtual machine detection in it, and that’s why it didn’t execute? I don’t know. Just throwing that out there. Maybe it has some kind of sleep function so that it won’t execute right away.. making reverse engineering difficult. (boring!) For a list of what it does to a machine, take a look here. At this point I am more interested in how it spreads, not really what it does to the machine.
So, I downloaded a second sample “10wrjcenew.exe”, and executed it.
It tried to download two files, the first was “mimi.1268772” from ls.lenovowireless.net, and the second was pp.av from “218.4.137.213”. After this pp.av file was downloaded, the malware then attempted to register my computer on ce.10wrj.com. With this string:
This connection succeeded, but was immediately terminated. Since this particular HTTP connection was tried over and over again to register, and since the mac address is a vmware mac address, I can only guess that the machine receiving the Client Registration knows which mac addresses are vmware and doesn’t attempt to infect those? Just a theory. I found some interesting information about this here.
The two files were saved, actually on the desktop (because the malware I had executed was sitting on the Desktop), and were named svchost.exe and winlogon.exe.
So, you can tell that this is a completely different worm from the first one I tried.
Then, after that, scanning commenced on port 139 to try and find other hosts. Now I have a double NAT going on here, (172.16 addresses (vmware) are being bridged out to 192.168 (home network) addresses, then translated to the internet.. I didn’t notice it, but the worm must have looked up my ‘external’ address at some point because the malware never did scan my local subnet, it only scanned the public address scheme of my local subnet. Upon further review of the malware through other websites, I also found this to be the case.
After successfully connecting (which didn’t happen in my case) on port 139, it then exploits the other machine on port 445. Which is detected by Snort through rules:
[1:7224:8] NETBIOS SMB-DS srvsvc NetrPathCanonicalize unicode little endian overflow attempt
[3:14817:1] NETBIOS SMB srvsvc NetrpPathCononicalize unicode little endian path cononicalization stack overflow attempt
[3:14783:1] NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrpPathCononicalize little endian path cononicalization stack overflow attempt
So I suggest you check out the newest subscription ruleset through Sourcefire at www.snort.org. Like I said, I am not a malware guy, I just did some clicking around to see what was out there and what it did. I haven’t reversed a binary in almost 4 years. Who has the time!? ;)
Subscribe in a reader
Friday, September 19
Quicktime/iTunes DoS
I've received several emails from readers and reporters asking me if I am going to post anything about this QT/iTunes DoS vulnerability, and my opinion..etc.
I think it's a much ado about nothing. Okay, so QT or iTunes stops working. Uh. So? Really. So what. The programs stops. That's it. It's a media app.
Call me when this vulnerability is remotely exploitable. THEN i'll be interested.
Subscribe in a reader
I think it's a much ado about nothing. Okay, so QT or iTunes stops working. Uh. So? Really. So what. The programs stops. That's it. It's a media app.
Call me when this vulnerability is remotely exploitable. THEN i'll be interested.
Subscribe in a reader
Quicktime/iTunes DoS
I've received several emails from readers and reporters asking me if I am going to post anything about this QT/iTunes DoS vulnerability, and my opinion..etc.
I think it's a much ado about nothing. Okay, so QT or iTunes stops working. Uh. So? Really. So what. The programs stops. That's it. It's a media app.
Call me when this vulnerability is remotely exploitable. THEN i'll be interested.
Subscribe in a reader
I think it's a much ado about nothing. Okay, so QT or iTunes stops working. Uh. So? Really. So what. The programs stops. That's it. It's a media app.
Call me when this vulnerability is remotely exploitable. THEN i'll be interested.
Subscribe in a reader
Thursday, July 24
Webinar with Dan Kaminsky
There is a webinar with Dan Kaminsky today to talk about the DNS issue.
Link is here. Go and register and listen to all the news about the DNS vuln/exploit.
List of people on the panel:
* Dan Kaminsky, Director of Penetration Testing, IOactive
* Jerry Dixon, Former Director of the National Cyber Security Division, DHS
* Rich Mogul, Securosis
* Joao Damas, Sr. Programme Manager, ISC
* Jerry Dixon, Former Director of the National Cyber Security Division, DHS
* Rich Mogul, Securosis
* Joao Damas, Sr. Programme Manager, ISC
Subscribe in a reader
Webinar with Dan Kaminsky
There is a webinar with Dan Kaminsky today to talk about the DNS issue.
Link is here. Go and register and listen to all the news about the DNS vuln/exploit.
List of people on the panel:
* Dan Kaminsky, Director of Penetration Testing, IOactive
* Jerry Dixon, Former Director of the National Cyber Security Division, DHS
* Rich Mogul, Securosis
* Joao Damas, Sr. Programme Manager, ISC
* Jerry Dixon, Former Director of the National Cyber Security Division, DHS
* Rich Mogul, Securosis
* Joao Damas, Sr. Programme Manager, ISC
Subscribe in a reader
Monday, March 31
Comment becoming a post
Got this as an anonymous comment on my last post:
"anonymous said...
How is it even remotely weak? Considering most virii spreading around these days is done via browser related vulnerabilities, I hardly would consider it "weak".
If it is so easy to discover browser vulnerabilities then how come IE7 held up on the Windows box (until the 3rd day when it was owned by flash)? How come you don't have any browser vulnerabilities credited to your name?
I hate to be "that guy", but the guy that won Pwn2Own walked away with $10k and a new laptop. I doubt he cares too much what bloggers think of him or his vulnerability, especially someone that hasn't done any similar research. Don't bash someone else's work unless you can reproduce it yourself.
Mon Mar 31, 08:55:00 AM"
My response:
Dear person-who-didn't-leave-their-name,
Who says I was bashing work? I still think it's a weak vulnerability.
I'm not saying that the guy that discovered it is stupid, or that the exploit itself is stupid -- props to him for getting 10k and a fat laptop. I'm saying that most of the journalists and bloggers out there are saying things like "Mac owned in 2 minutes". Really? Was it owned in two minutes? Or did the guy merely have the exploit already set up on his webpage before the contest began. Does that make sense? I don't like sensationalist headlines, essentially.
I'm also not saying it's easy for someone to discover the vulnerability, I am sure it took alot of research and fuzzing. I am saying now-a-days, there are alot of browser vulnerabilities. It seems like every week there is at least one. I'm not saying that the research that is done by the people isn't worthwhile, I am just not a fan of browser vulnerabilities, because, as I said.. It's easy to switch browsers.
I do think it was interesting that Windows held up until Flash was introduced. But what kind of metrics are we using here? A machine wasn't able to get exploited in one week? It takes more time than that doesn't it?
All punditry. I guess I just miss the days of remote server side exploits like ws_ftp, IIS, and the like.
Subscribe in a reader
"anonymous said...
How is it even remotely weak? Considering most virii spreading around these days is done via browser related vulnerabilities, I hardly would consider it "weak".
If it is so easy to discover browser vulnerabilities then how come IE7 held up on the Windows box (until the 3rd day when it was owned by flash)? How come you don't have any browser vulnerabilities credited to your name?
I hate to be "that guy", but the guy that won Pwn2Own walked away with $10k and a new laptop. I doubt he cares too much what bloggers think of him or his vulnerability, especially someone that hasn't done any similar research. Don't bash someone else's work unless you can reproduce it yourself.
Mon Mar 31, 08:55:00 AM"
My response:
Dear person-who-didn't-leave-their-name,
Who says I was bashing work? I still think it's a weak vulnerability.
I'm not saying that the guy that discovered it is stupid, or that the exploit itself is stupid -- props to him for getting 10k and a fat laptop. I'm saying that most of the journalists and bloggers out there are saying things like "Mac owned in 2 minutes". Really? Was it owned in two minutes? Or did the guy merely have the exploit already set up on his webpage before the contest began. Does that make sense? I don't like sensationalist headlines, essentially.
I'm also not saying it's easy for someone to discover the vulnerability, I am sure it took alot of research and fuzzing. I am saying now-a-days, there are alot of browser vulnerabilities. It seems like every week there is at least one. I'm not saying that the research that is done by the people isn't worthwhile, I am just not a fan of browser vulnerabilities, because, as I said.. It's easy to switch browsers.
I do think it was interesting that Windows held up until Flash was introduced. But what kind of metrics are we using here? A machine wasn't able to get exploited in one week? It takes more time than that doesn't it?
All punditry. I guess I just miss the days of remote server side exploits like ws_ftp, IIS, and the like.
Subscribe in a reader
Saturday, March 29
Pwn2Own
People have been writing into me asking what I think of the Mac getting owned in the pwn2own contest at CanSecWest.
Truth is, two things. I don't know about the exploit other than it was Safari related.
And second, browser vulnerabilities suck. No matter the browser, simply because there are so many exploits for every browser that is out there, and they pop up, then are quickly squashed all the time. Plus, it's way too easy to just switch browsers now a days. Many computers are starting to have more than one browser on them now.. not by default, but just by sheer happenstance.
All in all, I am going to say the same thing I said last year when the same thing happened at CanSecWest when a Mac was owned via the browser, then that's all I am going to say about it.
Weak.
Subscribe in a reader
Tuesday, February 26
Apple MACOS X xnu <= 1228.3.13 ipv6-ipcomp remote kernel DoS POC
Posted today, "Apple MACOS X xnu <= 1228.3.13 ipv6-ipcomp remote kernel DoS POC" is a remote Denial of Service against OSX 10.5.1, 10.5.2, Freebsd 5.5, 4.9.0, and NetBSD 3.1.
It appears that the only reason for this DoS to exist is basically, a typo.
See? Copy and Paste from Exploit:
" * ipcomp6_input does not verify the success of the first call
* to m_pulldown (m -> md typo?).
*
* md = m_pulldown(m, off, sizeof(*ipcomp), NULL);
* if (!m) {
* ->
* md = m_pulldown(m, off, sizeof(*ipcomp), NULL);
* if (!md) {"
It appears that the only reason for this DoS to exist is basically, a typo.
See? Copy and Paste from Exploit:
" * ipcomp6_input does not verify the success of the first call
* to m_pulldown (m -> md typo?).
*
* md = m_pulldown(m, off, sizeof(*ipcomp), NULL);
* if (!m) {
* ->
* md = m_pulldown(m, off, sizeof(*ipcomp), NULL);
* if (!md) {"
Apple MACOS X xnu <= 1228.3.13 ipv6-ipcomp remote kernel DoS POC
Posted today, "Apple MACOS X xnu <= 1228.3.13 ipv6-ipcomp remote kernel DoS POC" is a remote Denial of Service against OSX 10.5.1, 10.5.2, Freebsd 5.5, 4.9.0, and NetBSD 3.1.
It appears that the only reason for this DoS to exist is basically, a typo.
See? Copy and Paste from Exploit:
It appears that the only reason for this DoS to exist is basically, a typo.
See? Copy and Paste from Exploit:
* ipcomp6_input does not verify the success of the first call
* to m_pulldown (m -> md typo?).
*
* md = m_pulldown(m, off, sizeof(*ipcomp), NULL);
* if (!m) {
*
* md = m_pulldown(m, off, sizeof(*ipcomp), NULL);
* if (!md) {"
Saturday, February 23
Microsoft throws open the door
If you haven't heard about it already, Microsoft has published a ton of their protocols on their MSDN page. Everything from Windows Update to Remote Desktop. What is (MSFT) trying to do here? Are they going for the "open up the OS, we're moving to the online services" market? I guess we'll see.
What will this lead to? Well, people will try and make things interoperable, find the bugs, publish the bugs, exploits will reign down, cats and dogs, living together, MASS HYSTERIA.
But this may be nice for security researchers as well. No more having to brute-force reverse engineer MSFT's protocols. They are out in the open now.
Subscribe in a reader
Microsoft throws open the door
If you haven't heard about it already, Microsoft has published a ton of their protocols on their MSDN page. Everything from Windows Update to Remote Desktop. What is (MSFT) trying to do here? Are they going for the "open up the OS, we're moving to the online services" market? I guess we'll see.
What will this lead to? Well, people will try and make things interoperable, find the bugs, publish the bugs, exploits will reign down, cats and dogs, living together, MASS HYSTERIA.
But this may be nice for security researchers as well. No more having to brute-force reverse engineer MSFT's protocols. They are out in the open now.
Subscribe in a reader
Friday, February 15
Wordpress plugin exploit
Wordpress seems to be getting it's butt kicked lately with all the xploits that are coming out for it and it's plugins. In a new one just published to milw0rm today, this one deals with "Simple Forum". I guess there is no rest for the exploit writers out there, even if this one does seem rather weak. Especially when the tag line at the bottom of the exploit reads: "i AM NOT HACKER". Instead of the much better "I am not A hacker". It's all in the details.
Wordpress plugin exploit
Wordpress seems to be getting it's butt kicked lately with all the xploits that are coming out for it and it's plugins. In a new one just published to milw0rm today, this one deals with "Simple Forum". I guess there is no rest for the exploit writers out there, even if this one does seem rather weak. Especially when the tag line at the bottom of the exploit reads: "i AM NOT HACKER". Instead of the much better "I am not A hacker". It's all in the details.
Thursday, February 14
Teen hax0rs iPhone. Again.
In the quest for people to keep hacking the iPhone (at least, I guess party until the SDK comes out), the Register is running an article about a teen that has re-hacked the iPhone on the new 1.1.3 firmware. Except this time it wasn't like exploiting the tiff flaw. This was much harder.
Money quote: "The latest salvo was fired late last week, following a 24-hour hacking spree by Geohot that was broken up by only three hours of sleep. It turns out the latest firmware contained modifications to the device's memory registers to prevent unlocking. Geohot worked around those changes by finding another, much higher register that was vulnerable."
When the SDK comes out, I am sure some of the hacking (or the pace of it) will probably slow down, because people will actually have a legit way of getting apps on the iPhone. However, there will be a certain percentage that will be interested in it because of the SIM card unlocks.
>People want to be able to take their phones to other networks. I have a buddy of mine that has his on T-Mobile.
But I know alot of people that have hacked their iPhones for the apps. I used to have my iPhone hacked, but then the firmware update (1.1.1)? came out that allowed me to download music directly on the phone. That's all I wanted. After I got that, there really wasn't any other apps I was interested in.
There are a couple Apps I would like Apple to come out with.
1) A to-do syncer
2) Notes syncer
3) .mac syncing OTA
4) iChat interface.
If Apple had those features on the iPhone (while the top two are also updates to iTunes, pretty much), I'd be pretty happy.
Thanks goes to Craig who sent me this article.
Money quote: "The latest salvo was fired late last week, following a 24-hour hacking spree by Geohot that was broken up by only three hours of sleep. It turns out the latest firmware contained modifications to the device's memory registers to prevent unlocking. Geohot worked around those changes by finding another, much higher register that was vulnerable."
When the SDK comes out, I am sure some of the hacking (or the pace of it) will probably slow down, because people will actually have a legit way of getting apps on the iPhone. However, there will be a certain percentage that will be interested in it because of the SIM card unlocks.
>People want to be able to take their phones to other networks. I have a buddy of mine that has his on T-Mobile.
But I know alot of people that have hacked their iPhones for the apps. I used to have my iPhone hacked, but then the firmware update (1.1.1)? came out that allowed me to download music directly on the phone. That's all I wanted. After I got that, there really wasn't any other apps I was interested in.
There are a couple Apps I would like Apple to come out with.
1) A to-do syncer
2) Notes syncer
3) .mac syncing OTA
4) iChat interface.
If Apple had those features on the iPhone (while the top two are also updates to iTunes, pretty much), I'd be pretty happy.
Thanks goes to Craig who sent me this article.
Teen hax0rs iPhone. Again.
In the quest for people to keep hacking the iPhone (at least, I guess party until the SDK comes out), the Register is running an article about a teen that has re-hacked the iPhone on the new 1.1.3 firmware. Except this time it wasn't like exploiting the tiff flaw. This was much harder.
Money quote: "The latest salvo was fired late last week, following a 24-hour hacking spree by Geohot that was broken up by only three hours of sleep. It turns out the latest firmware contained modifications to the device's memory registers to prevent unlocking. Geohot worked around those changes by finding another, much higher register that was vulnerable."
When the SDK comes out, I am sure some of the hacking (or the pace of it) will probably slow down, because people will actually have a legit way of getting apps on the iPhone. However, there will be a certain percentage that will be interested in it because of the SIM card unlocks.
>People want to be able to take their phones to other networks. I have a buddy of mine that has his on T-Mobile.
But I know alot of people that have hacked their iPhones for the apps. I used to have my iPhone hacked, but then the firmware update (1.1.1)? came out that allowed me to download music directly on the phone. That's all I wanted. After I got that, there really wasn't any other apps I was interested in.
There are a couple Apps I would like Apple to come out with.
1) A to-do syncer
2) Notes syncer
3) .mac syncing OTA
4) iChat interface.
If Apple had those features on the iPhone (while the top two are also updates to iTunes, pretty much), I'd be pretty happy.
Thanks goes to Craig who sent me this article.
Money quote: "The latest salvo was fired late last week, following a 24-hour hacking spree by Geohot that was broken up by only three hours of sleep. It turns out the latest firmware contained modifications to the device's memory registers to prevent unlocking. Geohot worked around those changes by finding another, much higher register that was vulnerable."
When the SDK comes out, I am sure some of the hacking (or the pace of it) will probably slow down, because people will actually have a legit way of getting apps on the iPhone. However, there will be a certain percentage that will be interested in it because of the SIM card unlocks.
>People want to be able to take their phones to other networks. I have a buddy of mine that has his on T-Mobile.
But I know alot of people that have hacked their iPhones for the apps. I used to have my iPhone hacked, but then the firmware update (1.1.1)? came out that allowed me to download music directly on the phone. That's all I wanted. After I got that, there really wasn't any other apps I was interested in.
There are a couple Apps I would like Apple to come out with.
1) A to-do syncer
2) Notes syncer
3) .mac syncing OTA
4) iChat interface.
If Apple had those features on the iPhone (while the top two are also updates to iTunes, pretty much), I'd be pretty happy.
Thanks goes to Craig who sent me this article.
Subscribe to:
Posts (Atom)