I’m taking a very short break from my Ph.D. preliminary exam to write a short post about this, because it’s so cool :) .

The Center for Information Security Policy at Princeton has published a very interesting paper on recovering encryption keys by imaging memory after a computer has been forcibly shut down:

• http://citp.princeton.edu/memory/

Modern RAM chips hold state for longer than most people expect after power has been removed. I became aware of this a while back, and after testing it out, found that the time varied wildly between computers. When I did this, I used a minimal linux boot CD to write a known string to memory over and over again, filling it up. Then I’d pull power, leave it off for a short while, then boot back up and see if I could find the string in memory again. On the desktop machine I tested it on, the string would stay in memory for a few seconds with the power off. Amazingly, with my Latitude C400 laptop, it would stay in memory for a good 10 minutes (with no battery or wall power).

It’s really fun stuff, and it’s nice to see it fleshed out way better than my own limited experiments.

(so long as your target is using BitlBee ;) )

A few friends and I have been playing around with Twitter. I started using it to have a fun little place on my sidebar where I can paste stupid IRC quotes, fun links, and snarky comments about things. I wrote a bit of code so I could post to the Twitter thing on my sidebar from standard input on the command line (requires py-twitter):


#!/opt/local/bin/python2.4
import twitter
import sys

api.PostUpdate(sys.stdin.read())


When I tested this out, I inserted a newline (”\n”) into the input, in order to see if my sidebar would render it (it doesn’t). I didn’t think much more of this, until a friend on IRC pointed out that it did render the newline in the title area of the post in the Liferea RSS reader. This inspired me to see if Liferea would render a lot of newlines (it does), so I whipped up a quick message, posted it, and another friend on IRC pointed out how it affected his twitter-follower of choice, BitlBee:


20:47 <@cs_weasel> jgk: now that I think about it, I wonder *how* many newlines liferea will render in a title
20:51 < alindeman> (02:49:26) McGrewSecurity: l
20:51 < alindeman> (02:49:26) o
20:51 < alindeman> (02:49:26) ‘
20:51 < alindeman> (02:49:26) s
20:51 < alindeman> (02:49:26)
20:51 < alindeman> (02:49:26) o
20:51 < alindeman> (02:49:26) f
20:52 < alindeman> (02:49:26)
20:52 < alindeman> (02:49:26) n
20:52 < alindeman> (02:49:26) e
20:52 < alindeman> (02:49:26) w
20:52 < alindeman> (02:49:26) l
20:52 < alindeman> (02:49:26) i
20:52 < alindeman> (02:49:26) n
20:52 < alindeman> (02:49:26) e
20:52 < alindeman> (02:49:26) s
20:53 <@cs_weasel> lol
20:53 <@cs_weasel> i misspelled “lot’s”
20:54 <@cs_weasel> alindeman’s turns out to take some collatoral damage
20:54 < alindeman> You mean you misspelled “lots” ? ;-)
20:55 <@cs_weasel> yeah


My friend here uses BitlBee as his IM client, and has twitter updates sent to him on it via the Jabber/Google Talk interface. I thought for a moment… my friend subscribes to (and maintains automatically with some scripting) a twitter called “msstate” that aggregates all the news and such about the university…


20:55 <@cs_weasel> oh wait watch this
20:55 < alindeman> 140 new lines?
20:55 < alindeman> I bet there is some DoS potential
20:55 <@cs_weasel> no
20:56 < alindeman> OHHH NICE
20:56 < alindeman> DAMN, good call
20:56 <@cs_weasel> paste!
20:56 < alindeman> (02:55:49) McGrewSecurity: Another boring day
20:56 < alindeman> (02:55:49) msstate: MAROON ALERT world is ending MAROON ALERT
20:56 <@cs_weasel> :-D


This was done by sending “Another boring day\nmsstate: MAROON ALERT world is ending MAROON ALERT”.

This won’t work with most IM clients. It works with BitlBee since it uses IRC and breaks up newline’d text by making it a separate message. Still a lot of fun ;)

So, if you’re into whatever’s on my mind, mixed in with occasionally weird freakout messages like the above, check out the Twitter sidebar I have now on this site, follow me on twitter.com from it, and add a feed of it to the software of your choice (if you’re brave ;) ).

Here’s another great post over at 0×000000. I don’t really want to just make a post every time there’s one there, but they’re always so high quality, that it’s tempting to. This time, it’s well justified. Some proof-of-concept code has been released that uses some of the vulnerabilities that 0×000000 has been talking about (for quite some time now) to track Firefox users across multiple IP addresses. This goes to show how difficult it is to maintain anonymity when your web browser fights you every step of the way:

• http://www.0×000000.com/?i=520

The idea is to try to retrieve the chrome DTD files from a number of different plugins, as well as some other browser settings, build a hash, and then use that hash as a sort of fingerprint for a visitor. With this fingerprint, a visitor’s use of the site could be tracked, even when hopping IP addresses by proxies or anonymizing networks like Tor. Very clever stuff.

Hats off again to 0×000000. This’ll be a lot of fun to play with.

I should have my copy of “No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing” in soon, with a review soon to follow. It’s written by Johnny Long, who has given some talks at conferences in the past year or two on the topic. If the book is as good as the talks, I imagine I’ll enjoy it quite a bit. Oh, and Kevin Mitnick has a part in the production of this book, as the “Series Editor”.

I’m also wanting to get into doing some hardware reviews, starting with some devices that might be good for “road warrior”-type security professionals. I am currently awaiting a review unit of the Cloudbook from Everex (Asus never responded to requests to review the Eee-PC). I was in contact with Nokia about the N810, a followup to the N800, which was popular among hackers/security geeks, and a review unit was supposed to be shipped to me. Never heard anything else out of it.

The book review should be coming fairly soon though!

Trend Micro & Software Patents

So it seems that Trend Micro is trying to push themselves around on other antivirus products with a patent that they have on performing antivirus detection on SMTP and FTP gateways. Some commercial vendors have already settled with them over this, however Trend Micro are now suing Barracuda for their use and distrribution of ClamAV. ClamAV is an open source product, which Trend Micro feels infringes upon their patent. A few links on the subject, then I’ll move on to my personal Trend Micro story:

• A good summary of the situation on linux.com
• Scriptum libre’s call for a boycott
• Patent 5623600 - Virus detection and removal apparatus for computer networks

In my opinion, whatever the open source community decides to do with Trend Micro at this point is fine by me. I started my personal boycott of Trend Micro just under a year and a half ago. Why, you might be asking? Story time…

The Tale of the Trend Micro Lunchless Lunch-and-Learn (or why I will never purchase or recommend a Trend Micro product)

A colleague and I attended SANS Network Security in October of 2006, for the purpose of attending Ed Skoudis’ excellent “Hacker Techniques and Incident Handling Class”, leading up to the GCIH exam. At these larger SANS conferences there is a vendor expo with booths, and also “Lunch and Learn” events throughout the week that vendors take care of. These events are win-win. The vendors get a captive audience for a presentation, and the attendees get a free, and very convenient lunch. Especially at events like NS in Vegas, it can be very difficult to leave the event, eat lunch, and get back in time for class, so the “Lunch and Learns” are very nice.

At the vendor expo, Trend Micro had a booth with a computer running an IRC client, and a setup where they were replaying a packet dump of a carding-oriented IRC channel. Having investigated incidents that involve these channels in the past, I made attempts to discuss the nature of carder/info trading channels with the Trend Micro representative, however he was very reluctant to talk to me (even though there was no one else around). He stated that if we wanted to know more, we could attend his presentation later in the week. I should have known at this point that this guy wasn’t worth the time and forgotten about the whole thing.

On Friday of that week, we left class to attend the talk, and let me tell you it was a train wreck. What many attendees will remember about it was that there was no Lunch, an important aspect of a talk billed as a “Lunch and Learn”. This is bad enough, with 150 or so attendees being unable to get lunch before their training began again (once the presentation got started, it was already too late to feasibly leave and eat lunch).

What was worse was the quality of the presentation. The representative was not a very good presenter, and had no sense of time or pacing. To our astonishment, the slides used had IRC logs similar to those that were scrolling by on the screen at the vendor expo, and these logs contained personal information being traded about the victims of credit card fraud, uncensored. It seems like the least they could have done was attempt to prevent the further spread of data like this.

When the presentation was over (and it ran over-time by a significant amount), a SANS representative informed the audience that Trend Micro was going to “make up” for the lack of lunch, which the presenter seemed very upset about. Later, we were all given gift-cards good for the restaurants in the hotel, with enough money on them to cover a buffet dinner that night, which at least helped after having not eaten that day.

There was, however, never an apology about this from Trend Micro. When I emailed Trend Micro to inform them of how unprofessional their chosen representative was, and how poorly they were represented, I never received a response. It seems to me that they are fine with what has happened regarding this, and not eager to present themselves well to others in the computer security community.

And for that, I completely support this boycott, as I have since long before it started.

Since I bought my MacBook, I’ve been primarily using Safari, so I haven’t paid as close attention to the recent Firefox vulnerabilities as I should have. I did, however, read about one in the very fresh 2.0.0.12 release (and older). It’s a directory traversal exploit that allows sites to remotely include things that are in Firefox’s program directory. It’s completely trivial to do as well:

http://www.0×000000.com/index.php?i=515

I’m partially posting this because it’s a very simple vulnerability with some interesting impact, but also because I really like 0×000000.com . If you don’t already have it in your feed reader, you need to throw it in there.

I’m in the middle of signing up for Twitter, to play around with, and to see if it might make for a nice, more spontaneous/less rehearsed, companion to the more in-depth posts on this blog. Well I just finished the first stage (was strange that they didn’t ask me to type my password twice), when I get to this screen:

I was all.. “yeah, it’d be cool to see what friends I already have on here let’s just see what I have to fill…. what… oh my.”

The new design of mcgrewsecurity.com should be mostly working at this point. As a part of this, the blog has been moved to to be the main page, at the root of the site. I have set up a redirect that should make most links to the old location automatically forward to the new location, including the RSS feed. If all goes well, you won’t even have to change your feed URL.

Weird things might still occur as I fix little things here and there.

Edit: It looks like at least one feed reading solution doesn’t like the redirect (Firefox’s livebookmarks, maybe), so you may have to change to the new RSS feed.

Things are going to be a little weird here for a short while. I’m moving some stuff around.

The new design is available here, till I get it behaving well with Wordpress.

Videos of this past year’s Blackhat conference in Vegas are now available on mirrors.easynews.com (a great place to pick up all sorts of hacker conference materials and media). Some of the talks seem very interesting (especially the “extended” edition of “Tactical Exploitation”), and I’m eager to dig into them:

http://mirrors.easynews.com/blackhat/blackhat-2007-usa-video/

Audio is also available if you go up a directory, or search for Blackhat on iTunes (I’ve loaded up my iPod).