subscribe to site updates: rss feed
contact Wesley McGrew: | email - wesley@mcgrewsecurity.com | gpg key | aim - wesleymcgrew | twitter - mcgrewsecurity |
The paper that I presented at the IFIP WG 11.9 digital forensics conference, “Using Search Engines to Acquire Network Forensics Evidence” (using my tool GooSweep) has been published as a chapter of the new hardcover “Advances in Digital Forensics III” from IFIP and Springer. I just received my copy today, and I’m quite proud:
More information is available over at Amazon
…at least until folks go crazy with wget again ;) . The rapidshare link is up here, if you need whole thing, but I’d like to be able to provide them on my site for folks to browse around, get something specific, or in cases where something like rapidshare might be blocked.
If anyone has video or audio from Blackhat or Defcon this year, or slides/papers from Defcon, please get in touch. I can keep things private, if need be.
I just couldn’t resist making a new post just for this kid:
We found this in the course of showing some of the other videos the the local LUG Wednesday night. CyberHacker will hack anything you want for a fee (at least 50 bucks, according to his website). It’s pretty obvious that he’s just changing his hosts file to point at his own servers ;) .
Edit: Apparently he does some php exploits too, so maybe he did own the sites, maybe not :) . Google for “site:evilzone.org”. Some forums, also at evilzone.net. Fun reading to kill some time before the weekend begins.
I subscribe to a lot of security mailing lists. I use my gmail account as a one-stop archive of everything that’s going on: search-able, browse-able, and very convenient. I don’t often unsubscribe from lists, but the time has certainly come for me to unsubscribe from funsec.
I joined after seeing it mentioned in posts to other lists, and on the recommendation of someone on IRC. I finally asked myself the question, “Why am I reading this?”. Very few of the posts have anything to do with security, with the most popular topics turning into flame wars about politics. As you can imagine, this isn’t very fun either. The charter, or what I could find that passes for a charter, states that funsec is “Fun and Misc security discussion for OT posts”. I’m not even sure what that means, and I’m not sure anyone else does either, as it’s a free-for-all.
Truly, this is a mailing list where the most sensible post I’ve read in the past few weeks is by n3td3v. Of course, the hammer was immediately dropped on this by the moderator.
To give this post some merit for my readers, instead of just ranting, I’ll post my advice: If you are capable of forming your own political opinions, have an RSS reader pointed at various sites of interest, and like discussing security (or at least like reading them), you should probably avoid funsec.
(according to youtube ;) )
This scam dates back to stealing AOL accounts in the mid-90s. Here’s some modern examples (obviously the technique has moved to a new media with little improvement):
Certainly these will be gone after a while, but it’s easy to find more by searching for “hack account” on Youtube or Google Video. Very funny stuff. I suppose it works though? Does anyone know of anyone who’s fallen for this? Your “friend”, I’m sure ;) .
You might remember an older post here, on the “Ferret” sniffer from Errata Security. You may have even found this blog by looking for information on Ferret. Since Blackhat, my logs show a lot of hits coming from Google searches for Ferret. I suppose they saw the presentation on Hamster and wanted some more information on the older tool.
You might also remember that I wasn’t very kind to Ferret. It was an unimpressive tool with an unimpressive implementation, and didn’t really bring anything new to the table to warrant the attention it was getting. Hamster really isn’t any better. This time, instead of sniffing out passwords for various protocols, it steals session cookies and performs man-in-the-middle attacks.
It’s a powerful demonstration to those who have never seen this sort of attack before, but it’s nothing that kids haven’t been doing with existing tools for years. pdp at gnucitizen has really summed up how I feel about it in his post:
Every few months or so, I find myself reading the new issue of 2600, The Hacker Quarterly. It’s not a great magazine, or even a good one sometimes, but even if there are no useful articles or projects to tinker with in it, I always get enough laughs out of it to make it worth picking up. This time, I’ve decided to write an article-by-article review of the issue, to give you an idea of what usually shows up in 2600.
Remaining Relevant
Emmanuel discusses the changing landscape of hacker culture. I’ve often made a similar point to his: The hacking “scene” used to be about gaining access to systems and networks for the purposes of experimenting and learning about things that would have normally been inaccessible. Nowadays, with cheap computers, free operating systems, and widespread internet access, it’s hard to justify unlawful intrusion. Now, don’t think for a minute that this sort of logic stops the authors of the more ridiculously malicious articles and letters that you’ll see in 2600. More on those in a bit.
Discovering Vulns
2600 will publish anything. This is part of the spirit of the magazine, giving everyone a voice, however it puts the burden of separating what’s good and what’s bad onto the reader. Unfortunately, the reader is not always a good judge of this, especially if they’re new to a topic.
This article is written by “Cliff”, and is very poorly researched and written. He jumps back and forth between the perspective of discovering vulnerabilities and writing secure software, and he has a fascination with causing applications to use up CPU time. He refers to this as a form of exploitation as “Starve of Oxygen” and “Slow to Craw”. These join the ranks of many other terms and phrases he simply invents. He demonstrates a clear lack of understanding when it comes to SQL injection, and pretty much every other topic he covers. There is some evidence that he’s experimented with web apps (mentioning Tamperdata when talking about Javascript validation), but not much beyond that. He qualifies his lack of detail upfront by stating that he’s covering “methodology” instead of “script-kiddie examples”, but do not be fooled into thinking that this is anywhere close to the methodology a real vulnerability researcher uses. It’s more likely a grab at getting the free subscription by having an article published
Fun quotes:
The Shifty Person’s Guide to Owning Tire Kingdom
This is probably one of the most unapologetically malicious articles I’ve ever seen published in 2600. This one doesn’t even start with the “don’t really do this” disclaimer that these articles usually have. The author demonstrates pretty intimate knowledge of Tire Kingdom’s configuration, indicating that he either works there, or worse, has actually pulled this stunt.
The process of “Owning Tire Kingdom” seems to be a week-long epic adventure. It’ll also require a lot of nerve from people who want to follow along, as it involves a lot of personal contact, social engineering, and sitting at the actual terminals in the store. If successful, there’s the collateral damage of taking an entire store in the chain offline for some time. There’s also a prison sentence in it for you, especially if they’ve fallen for this before and see some of your tricks coming. Even if they haven’t seen it before, most of what you’d be doing is pretty suspicious.
None of it is really that useful or applicable to anything else, so it’s hard to imagine a good reason for publishing it. It would be funny to see some kids getting caught trying to duplicate the author’s efforts, though.
Fun quote:
Enhancing Nortel IP Phones with Open Source Software
Ariel Saia comes through with one of the good articles in this issue. He uses DD-WRT with OpenVPN to use an IP phone at home as an extension of his office phone system. It’s short, simple, and well written. It’s probably nothing new for VOIP-heads, but for the rest of us it’s pretty good :)
Telecom Informer
This is a regular segment written by “The Prophet”, a telecommunications insider that typically relates some fun knowledge to the reader. This time, it’s about SMS Short Code numbers and the scams that typically revolve around them, with some historical perspective presented of 900-number and long-distance carrier scams. It’s a very fun read.
Deobfuscation
Kousu writes a pretty good article on reversing the obfuscation that SourceCop applies to PHP code. It’s neat, easy to follow, and very similar to some of the deobfuscation articles on the Internet Storm Center’s blog. He has a unusually strong hatred for obfuscation, calling it “nauseating” and “as evil as ASCII can get”, but it’s a good introduction to the topic if you’re interested, and should be easy to follow along with if you get your hands on something obfuscated with SourceCop.
This is also the first appearance of the typical 2600 writer’s ineffective disclaimer in this issue. This time it’s “Boilerplate: I don’t officially condone any of these activities, of course. Use your own judgment.”
Getting 2600 The Safe Way
Alright, after a few good articles, it’s back to some lulz! “daColombian” is super-paranoid about buying 2600, and is even afraid to check the website for new issues, lest his network admin finds it in the logs or whatever. So his trick is to use his personal web site to display the cover image to him, so he can tell when the new one is out. He presents a small ASP page that does this (and grabs the latest Dilbert comic!), but there’s a flaw in his plan: the image is hotlinked straight from 2600.com. If the network admin actually monitored his web access, he’d notice the 2600.com traffic anyway.
Fun Quotes:
Fun at the Airport
Evil Wrangler presents a number of ways that terrorists could get past TSA checkpoints at an unnamed major airport, most of which would result your immediate arrest once you’re spotted on security cameras. Some of the scenarios are pretty ridiculous too. I’m not sure why terrorists would want to lob explosives into the secured area from the mezzanine, when they could get the same people while they’re waiting in line outside of it. He spots security cameras hooked up to wireless routers and assumes that they’d be hijack-able over X10 (if he’s got his terminology correct with “router”, it implies that these things are talking 802.11).
Basically, if you’re not Bruce Schneier, there’s a decent chance you don’t know what the threats and risks really are when you’re talking about airport security.
Hacking Xfire
I don’t really know a lot about XFire. It apparently keeps track of how long you’re playing specific PC games and publishes this data online. Why? I’m not sure. I don’t want anyone knowing how much time I’m wasting personally :) . Akurei was disappointed with the fact that XFire doesn’t log the amount of time he spends in the development suites for NeverWinter Nights 1 and 2, so he figured out a way to modify XFire’s ini file to trick it into logging those processes as well.
Hacker Perspective
This is another recurring feature, written by a different author each issue. This time it’s written by Mitch Altman, who developed a device, TV-B-Gone. TV-B-Gone is a keychain device that bursts out infrared codes for turning off many different models of televisions. It seems like a very passive-aggressive approach to imposing your dislike of TV on others. Personally, I like watching Hell’s Kitchen each week, and don’t mind dropping an hour or two here and there on entertainment.
This article really isn’t about that, though. It’s a well-written story of how he got to where he is, and I enjoyed it.
Fun Quote:
Valuepoint
“Sidge.2″ and “Bimmerfan” disclose some serious flaws in the Valuepoint wireless network service offered by many hotels. The entire administrative interface seems to be wide open to anyone who punches in the right URLs, which can be found in the JavaScript source of the pages on the gateway. The authors do a good job of explaining what’s wrong, and even disclose the name of the hotel in Vegas where they found the problem.
I wonder how long that lasted, with Blackhat and Defcon in the area this past week and weekend :) .
Internet Archaeology
Folks really ought to take more credit for their accomplishments. Here we have a nice, short writeup of how to gather historical/hidden information from websites using archive.org’s Wayback Machine. The author, however, uses the pseudonym “ilikenwf”. Is NWF a wrestling thing?
At the end of the article, he gives a link to his forums, on his personal website, so he’s not trying to keep his name out of the public eye or whatever. While I can understand Mr. Felony not wanting to take credit for the Tire Kingdom article, it’s strange to see all of the non-sociopath articles that are written under pseudonyms. I guess it’s an old school BBS kind of thing.
Hacking Answers by Gateway
“Franz Kafka” used to work as a phone-jockey for Gateway and reveals how to get help from them for troubles with pirated software. The trick is: Lie about it! According to Kafka, this same groundbreaking technique also works for getting Gateway’s help with disabling BIOS and Windows passwords.
If you can’t use pirated software without having to call someone else up for support, perhaps you should spring for a legitimate copy. 2600 gives out free subscriptions for articles like this!
Fun quote:
Opinions
“Opinions” (compared with the cold hard facts in the rest of the magazine :) ) is probably better described as a “Letters to the Editor” section. It’s huge, and one gets the impression that, much like the articles, almost every single coherent letter is printed. This is usually my favorite part of the magazine, since you have a good blend of crazies, people calling out the authors of articles on their mistakes, and paranoia. Here’s a rundown on what you will find in this month’s issue:
VoIP Cellphones: The Call of the Future
Toni-Sama presents a short summary of the different technologies being used to implement Voice over IP calling for cellphones. It is informative if you’re interested in that sort of thing, but there’s nothing too technical here. Mostly just a list of what acronym-laden services each provider is or will be offering.
Pandora Hack - Get Free MP3s
SickCodeMonkey describes a way to download MP3’s that are streamed to you by an internet radio station. I haven’t tried it out, but it seems like a lot of trouble to go through for one song at a time. I believe I remember the guys at the Hak5 forums having a more automated solution for this. Personally, I’d recommend archive.org’s live music archive, which has more great music than you could ever listen to, without having to worry about the RIAA sending your ISP letters.
Adventures in Behavioral Linguistics
Neuro-linguistic Programming. Marxc2001 certainly seems to think he knows what it’s all about and describes it fairly well. Personally, I think that confidence and planning are more critical to the success of good social engineering attempts, but if subscribing to the tenets of NLP helps someone with their confidence, more power to them. Personally, most of my exposure to NLP has been from the sort of people who are wishing really hard to have “Jedi mind tricks” in real life.
Transmissions
“Dragorn” gives some pretty good advice for improving your operational security in situations where you should be more paranoid. He advises you to run potentially vulnerable software (such as your web browser) as another user that has no access to your private data, which is a pretty good idea (although may not be convenient for you). He also advocates the use of whole-disk/partition encryption, which I agree with, so long as you understand that once the password is entered and the disk is mounted, it’s wide open to whatever processes are running.
An ISP Story
Another phone-jockey (for an ISP this time), relates a story about trying to help someone who is continuously having their account compromised by unspecified MSN exploits. He couldn’t do much, and neither could the people he telephoned at the attacker’s ISP. Service providers simply can’t afford to hire the sort of security experts/technicians that would be required to investigate all incidents like this. Efforts should be placed on locking down the victim’s setup, and prevent future incidents.
Hacking Whipple Hill with XSS
“Azohko” presents a cross-site scripting vulnerability in some school schedule management software by Whipple Hill. This isn’t anything different from the usual XSS you would see on full-disclosure every day, although at least the vendor was notified and they attempted to fix it (badly).
Haunting the MS Mansion
I wasn’t aware of it, but apparently the Norton Ghost 9 bootable CD is based on Windows XP. “Passdown” describes how useful this can be when doing (very simple) recovery of Windows systems, especially those using NTFS. It seems like a pretty decent alternative, if you can’t convince a Linux LiveCD to do what you want.
Reading ebooks on an iPod
“DBTC” covers a few different options for converting long text files into multiple linked “Notes” for viewing on an iPod. This works, but from personal experience, I’d have to say it’s not a very pleasant way to read something. The limitations of the notes system to 4,000 characters or so per file, and the small screen are a bit too much for me.
Java Reverse Engineering
I was really looking forward to reading this article, when I looked at the Table of Contents. Unfortunately, other than telling you to use a Java decompiler, there’s not much real reverse engineering going on here. “quel” spends a couple of short paragraphs on the actual reversing process, and he winds up being more cryptic than the decompiled code itself. The majority of the article is spent on printing the source code to a key generator for Zend Studio, the application being reversed. This article is probably of more use to people who want to pirate Zend Studio than it is to those who are actually interested in reverse engineering Java applications.
http://youtube.com/watch?v=nCvmkxO5hoQ
Apparently, this reporter had turned down a press pass, which would identify her as a reporter to those she interacted with. Her plan seemed to be to catch people engaging in illegal activities as part of an undercover report on “hackers for hire”. She was outed on stage and escorted out, and followed to her car by a bunch of what appear to be dirty hackers with cameras ;) .
Everyone knows that Defcon is when you put your illegal activities on hold for a weekend to party :) !
Holy crap do you guys know how to chew up some bandwidth with wget ;) . Luckily I anticipated this, and I’ve placed the whole set on Rapidshare for your one-stop downloading pleasure. Everything’s here in one nice tar.gz:
http://rapidshare.com/files/46746119/bh2007.tar.gz.html
If you’re not used to dealing with rapidshare, it’s as easy as clicking the “Free” button, maybe waiting a number of seconds, and filling out the captcha.
I’ve pulled the copy off this site for a little while till everyone simmers down ;)
Edit: Hahaha over the past two days, the most popular web browser used to access my site is “Wget” :)
In the normal course of causing trouble on IRC today, a friend pasted a URL to what appears to be the contents of the BlackHat USA 2007 conference materials CD. I figured my dear readers would be interested in having some reading material for the weekend, but I have no idea who owns the site to see if they would mind me linking. So, I’ve mirrored the contents here for your pleasure. A lot of the presentations look very interesting, and I’m looking forward to digging through it myself. Hopefully audio/video will be made available soon.