I used Google RSS reader, a year (or maybe more) ago, when I first got into subscribing to sites with RSS. Before, I just had a daily routine of web sites I’d visit that was more or less committed to memory, and heavily influenced by whatever I was was working on at the time. This is prone to “error” of course, as sites slip my mind, or I find new sites, intend to check back for future updates, and promptly forget about them. A friend recommended that I start reading sites via RSS, specifically using Google’s reader.

This worked out well, and eventually I moved on to other clients, including Liferea and more recently Akregator. The problem with this, is that I would have my subscriptions, with their archives and the posts that I had flagged, all on my laptop, when I use several different computers throughout my day. I could subscribe on clients on all of these different computers (but my flags and settings wouldn’t propagate), or perhaps carry a client around on a USB drive (awkward, and I use many different operating systems). I had a need for a better solution.

…This brought me back to Google Reader, which, in the time that I was using other readers, had changed interfaces. It’s really nice now, and it’s web based, so I can use it wherever I have a web browser at my disposal. Now I just keep it open in the tab right next to my gmail tab.

In an earlier post, I listed out a lot of the RSS feeds I subscribe to for security and forensics related news, blogs, and podcasts. Now, for those who really want a mountain of feed material, I’m just going to present to you my exported (OPML format) list of feeds from Reader’s export feature. This, along with a lot of mailing lists (maybe I’ll cover that soon), is how I try to keep up with things. If you notice anything missing, be sure to fill me in via a comment or email :) .

• Wesley’s Feeds: google-reader-subscriptions.xml

LonerVamp of terminal23 has written a nice blog post about anonymity on Internet Relay Chat (IRC):

staying anonymous - part 4 irc

I left some additional comments to it that should be approved any moment now ;) . Anonymity is harder than configuring your client to use a proxy, and LonerVamp does a good job of conveying that. It’s a matter of changing your behavior, and becoming tuned to recognize identifying characteristics of what you’re doing, and modifying them. You should always be looking for ways that you might blow your own cover and prevent those situations from happening before someone else comes around to blow it for you. IRC’s a great protocol to think about anonymity in, since there’s such a host of technical and social problems that might make things difficult.

Maybe I should start my own multi-part series on “Blowing Up People’s Anonymity” ;).

Kevin Mitnick has revealed some very interesting details, concerning how he obtained access to cell phone firmware source code (great story, with some good lessons for people to take away, even today) and his involvement in hacking Tsutomu Shimomura’s computer at the San Diego Supercomputer Center. It’s all wrapped up in a nice, short, and entertaining article by Jonathan Littman, who authored The Fugitive Game: Online With Kevin Mitnick (also recommended reading).

The article’s in the new June issue of Playboy, and Mitnick has made it available on his site at : http://www.mitnicksecurity.com/images/Mitnick_Playboy_feature.pdf

Alexander Sandström Krantz has self-published a report, entitled “Practical WLAN Security”, that he put together along with David Johansson for a class at Linköpings University in Sweden. I just caught his post on SecurityFocus’s “basics” list, and have glanced over the text, and it looks to be a very well written introduction to 802.11 network security issues. This is definitely something you should pick up and read if you’re getting a start on this subject

http://wireless.sandstromkrantz.se/

Update: Mirror at http://www.cyd.liu.se/~alesa195/

Introduction

How many passwords do you need to keep up with? Even if you’re not working in IT, with accounts on many systems, you might be surprised if you count them all up. You probably (at least) have passwords for your home, laptop, and work computers, email, banking, another one each for the bills you pay online. Then, most people will have a lot more: instant messaging accounts, web-based email, forums, social networking sites, online shopping, etc.

Along with this, we have what is considered to be good password policy, which most will agree goes something like “at least 8 characters, mixed case, digits, special characters”. If you have, say, ten different systems that you sign into, this becomes a burden. Memorizing one secure password isn’t so bad, but each additional one becomes more difficult to the point of being nearly impossible. A few things happen at this point for most people:

• One strong password for everything - Obviously a bad idea, no matter how great of a password it is. Your security would rely on the weakest link of all the places you use that password. A compromise of a forum you read in your spare time’s user database winds up giving attackers the root password for mission critical servers.
• Tiered passwords - One strong password for things that “matter” to you, and weaker “throwaways” for everything else. This isn’t so bad, but you still have containment issues if any of the important systems are compromised. The weaker passwords are easier to break, and the attacker may still be able to give you a bad day with just the “unimportant” sites.
• Writing down passwords - A lot of people are going to tell you that this is a huge mistake. Realistically, this depends on your situation. Sticky notes on your monitor may be a bad idea if you’re in a large, open-plan office with easy access for the public. It might not be as bad if you work at home, assuming your monitor doesn’t face a window directly. Then you only have to worry about family and friends. In either case, an eastern European script kiddie isn’t going to be able to see them (unless, of course, you live in eastern Europe). Perhaps keep them in your wallet. Then you’ve narrowed it down to people who mug you.

In this post, I’m going to be discussing a way you can manage your passwords in a list, encrypted, and protected by a single master password that you must remember. With such a list, you’ll be able to use longer, more complex, and unique passwords for each of your accounts. The trade-off is that you will have put all of your eggs into one basket. Assuming your master password is strong enough, the attacker will need to compromise the system you store all of this on, and log you typing it in (at which point, you’re pretty much sunk anyway). This isn’t such a bad tradeoff.

In a discussion on the McGrew Security BBS the other day, a friend recommended “pwman” as a great application for this purpose. Pwman has recently undergone a Python-rewrite, and is actually very easy to use and tweak for your individual needs. I’ll discuss how to install pwman3 (the new python version) on Ubuntu Feisty 7.04, as well as the packages it depends on. I’ll also discuss a small modification I’ve made to pwman3 to make it generate more secure passwords.

Installing Pwman3

The Ubuntu repositories have pwman3 v0.0.5, so if you’re not up for a bit of tinkering, you can go ahead and “sudo aptitude install pwman3″ and be in pretty good shape. The latest version, which I’ll be using here, is 0.0.6, and is available here.

To get things ready, you’ll need a few dependencies. The pwman3 documentation says it needs “python-celementtree”, “python-crypto”, and “python-pysqlite2″. The first two are in the Ubuntu repositories, so you can go ahead and install them. “python-pysqlite2″ isn’t there, so download the latest 2.x.x release of pysqlite from here (2.3.3 as of now).

To install pysqlite 2.3.3, you’ll need to install “build-essential”, “libsqlite0-dev”, and “libsqlite3-dev” from the Ubuntu repositories. Once you have these dependencies, you can extract the pysqlite .tar.gz, and run the following in the directory that it creates:

sudo python setup.py install

Now, you should be all set to install Pwman3 0.0.6. You can extract it and install it the same way as you installed pysqlite:

sudo python setup.py install

Modifying Pwman3

Before we start using it, there’s something I’d like to change about pwman3. When you set it up to store a password, it gives you the option of generating a new password. This is a great feature, as you can potentially have some very secure passwords for each account you store in it. Unfortunately, by default, the password generation will only generate passwords that contain upper and lower-case characters. We can dramatically increase the difficulty of cracking these passwords if we add digits.

Take a look at /usr/lib/python2.5/site-packages/pwman/util/generator.py , which contains the password generation code. It’s well written and fairly complex. It seems there’s some functionality for “leetify”‘ing the passwords it generates with symbols, however I believe that I would prefer to have my passwords generated with “pwgen”, which is available in the Ubuntu repositories. Install pwgen and take a look at its man page to see how it works.

To make pwman3 use pwgen for password generation, make the following change to the generate_password function, which starts at line 40 of /usr/lib/python2.5/site-packages/pwman/util/generator.py :

def generate_password(minlen, maxlen, capitals = True, symbols = True):
    #(password, hyphenated) = generate_password_shazel(minlen, maxlen)
    #if (capitals):
    #    password = randomly_capitalize(password)
    #if (symbols):
    #    password = leetify(password)

    import subprocess
    p = subprocess.Popen(['pwgen','-scn',str(minlen)], shell=False, bufsize=0, stdin=subprocess.PIPE, stdout=subprocess.PIPE, close_fds=True)
    password = p.stdout.read()
    password = password[:minlen]
    hyphenated = password

    return (password, hyphenated)

As you can see, I’ve commented out the existing generate_password code. First, I start a new pwgen process with arguments for “secure” password creation, mixed case, numerals, and a minimum length. I then read the generated password from pwgen’s standard output, and remove the newline character. The “hyphenated” value that was generated by generator.py’s code doesn’t seem to be used by the rest of pwman3’s code, so I simply copied password into it, where it will be thrown away upon return.

By default, pwman3 supports a command history, which it keeps in ~/.pwman/history . This is probably a bad idea, as this plaintext file might reveal information about your accounts and activity, so open up ~/.pwman/config and change the “[Readline]” section to look like this:

[Readline]
history = /dev/null

You can now remove ~/.pwman/history

Using Pwman3

It’s very easy to use! It has a simple readline-based console interface, with help that displays a list of commands that are valid:

weasel@hacktop:~$ pwman3
Please enter your new password:
Please enter your new password again:
Pwman3 0.0.6 (c) Ivan Kelly <pwman@bleurgh.com>
pwman> help

Documented commands (type help <topic>):
========================================
EOF    delete  exit    filter  help    list  new     print  save  tags
clear  edit    export  forget  import  ls    passwd  rm     set 

pwman> help tags
Usage: tags
Displays all tags in used in the database.
pwman> help filter
Usage: filter <tag> ...
Filters nodes on tag. Arguments can be zero or more tags. Displays current tags if called without arguments.
pwman>

When you first use pwman3, it will have you chose a password to protect its password database. Make this password strong and memorable. From there, you can add accounts to the database with “new”, “edit” them, “filter” on tags, and “list” all accounts that match the current filter. To view more information on an account, you can “print” its number.

Thanks to all of the participants in the BBS for spurring discussion that can lead to posts like this!

Many thanks to the PaulDotCom podcast crew for mentioning this on the latest show (Episode 69). I had apparently missed out on it before now, and it sounds great.

VoiPong is a sniffer that picks up on all sorts of VoIP protocols, decodes the traffic, and saves them to .wav files. How cool is that :) ? Looking at the site’s news and the file dates, the latest version is a couple of years old, which makes it even more stupefying that I’ve missed this.

There’s a Live CD too, if that’s the sort of thing you’re into. I’ll probably play with this a bit and if it’s a lot of fun (as it seems to be), I’ll post about it.

Lately I’ve been reading Eldad Eilam’s “Reversing: Secrets of Reverse Engineering”, working through all of the exercises and such. I need to build up my skills at really low level workings of Windows, static analysis of disassembled code, and debugging a live process more effectively. This is the perfect book for that, so I’ve been really enjoying it.

When I received some malware, attached to a “Message could not be delivered” email, I figured I’d play with it bit, as I often enjoy doing. Now, this is the sort of thing VMWare Server is excellent for. If you ‘re running Ubuntu, check here for a nice writeup on getting it going on 6.10. For Feisty, check my comments :) . I can create a checkpoint before I load the malware onto the system, and then rewind it back to that clean state whenever needed.

I already had an Windows XP VM that I was using OllyDbg in, working through Eilam’s examples, so I figured it’d be fun to load up some malware and see what I could do. Unfortunately, I’m not far enough into the book yet to beat this malware’s executable packing and anti-debugging features ;) . Not to be discouraged, I dropped back to my one of my usual techniques for analyzing malware: seeing how it interacts with the network.

For this, I could run Wireshark in the host OS (Linux) without fear of the malware affecting it. Here’s some notes:

As you can see, this executable tries hard to make itself look like an HTML file (that’s a “.com” at the end of all those spaces). A proper icon would have helped though.

I was very happy that, when I ran the malware, the Windows Firewall popped up to ask me if I wanted to let it access the network. The malware was smart enough to call itself “services”, which is innocuous enough for a lot of people. For the purposes of testing, I went ahead and allowed it.

After a while of sniffing traffic, I stopped the Wireshark capture, and began restoring the VM back to a clean slate. The traffic mostly consisted of email (sending out copies of itself, boring and unsuccessful), and web traffic (much more interesting). So, if you want to take a look at the sort of web requests are being made in a packet dump, here’s a nice display filter…

This filter resulted in a large number of searches on lots of search engines, presumably looking for more email addresses to spread to on sites that it found in my browser history:

I’m impressed by the wide variety of search engines and terms that I’ve seen it use. I do, however, question the practicality of mining debian.org for people vulnerable to Windows malware ;-)

So, for this exercise, I intentionally didn’t search out any information about the virus beforehand, but this is always a good idea. Google the md5 hash of the malware you get your hands on, run strings over it and search for any unique strings, and anything else you can think of. Anytime you can find someone who’s already done analysis for you, you have saved some time. Just be sure to verify their results, because they may not know what they’re doing, or maybe you have a new variant.

For the sake of completeness, here’s what VirusTotal.com had to say about this malware:

Antivirus	Version	Update	Result
AhnLab-V3	2007.5.16.1	05.16.2007	Win32/MyDoom.worm.40960.B
AntiVir	7.4.0.23	05.16.2007	Worm/Mydoom.BB.1
Authentium	4.93.8	05.16.2007	W32/Mydoom.BF@mm
Avast	4.7.997.0	05.16.2007	Win32:Mydoom-L2
AVG	7.5.0.467	05.16.2007	I-Worm/Mydoom
BitDefender	7.2	05.17.2007	Win32.Mydoom.AQ@mm
CAT-QuickHeal	9.00	05.16.2007	I-Worm.Mydoom.m
ClamAV	devel-20070416	05.16.2007	Worm.Mydoom.M-unp
DrWeb	4.33	05.16.2007	Win32.HLLM.MyDoom.54464
eSafe	7.0.15.0	05.16.2007	Win32.Mydoom.bf
eTrust-Vet	30.7.3638	05.17.2007	Win32/Mydoom.BA
Ewido	4.0	05.16.2007	Worm.Mydoom.m
FileAdvisor	1	05.17.2007	no virus found
Fortinet	2.85.0.0	05.17.2007	W32/MyDoom.BE@mm
F-Prot	4.3.2.48	05.16.2007	W32/Mydoom.BC@mm
F-Secure	6.70.13030.0	05.17.2007	Email-Worm.Win32.Mydoom.am
Ikarus	T3.1.1.7	05.16.2007	Email-Worm.Win32.Mydoom.m
Kaspersky	4.0.2.24	05.17.2007	Email-Worm.Win32.Mydoom.am
McAfee	5032	05.16.2007	W32/Mydoom.bf@MM
Microsoft	1.2503	05.17.2007	Worm:Win32/Mydoom.BF@mm
NOD32v2	2272	05.17.2007	Win32/Mydoom.AX
Norman	5.80.02	05.16.2007	W32/MyDoom.AU@mm
Panda	9.0.0.4	05.16.2007	W32/Mydoom.AT.worm
Prevx1	V2	05.17.2007	no virus found
Sophos	4.17.0	05.16.2007	W32/MyDoom-BE
Sunbelt	2.2.907.0	05.17.2007	VIPRE.Suspicious
Symantec	10	05.17.2007	W32.Mydoom.BB@mm
TheHacker	6.1.6.115	05.15.2007	W32/Mydoom.am
VBA32	3.12.0	05.16.2007	MalwareScope.Email-Worm.Mydoom.1
VirusBuster	4.3.7:9	05.16.2007	I-Worm.MyDoom.BC
Webwasher-Gateway	6.0.1	05.17.2007	Worm.Mydoom.BB.1