I’ve spent some time looking at these posts over on Gustavo Duarte’s blog today, and I am very impressed.  Gustavo has taken the time to write an entire series of posts on x86 internals, focusing on how memory works and the boot-up process.  He uses Linux and, to a lesser extent, Windows in his examples, and has really great illustrations and diagrams of all the concepts.  Combine that with an excellent writing style and links to good reference material, and you have one of the most accessible and readable introductions to these topics that I’ve ever seen.  

Here are links to the topics from his “Internals” series, although his other writings are worth checking out too:

These are core concepts for those in the areas of vulnerability analysis, exploit development, and (good) penetration testing to know, so read up :) .

I ran across this blog from a link to the most recent post earlier this morning, and unfortunately I spent enough time at the site that I can’t even remember now where I found it.  Otherwise I would give some credit to person I’m following on twitter or RSS that linked it.  If that person happens to be you, leave a comment to claim your fame :) .

 

The agenda for the SANS Process Control & SCADA Security Summit 2009 has changed a bit and it’s definitely for the better.  I am now scheduled for a session at 1:40 PM, on Monday, February 2nd: In-Depth Discussion: SCADA HMI Software Security Threats with Wesley McGrew.

I plan on using this session to present a talk entitled “Vulnerabilities in SCADA Human-Machine Interface Software”:

In this presentation, I will discuss the attack surface of HMI software, why it might be an attractive target for attackers (and penetration testers!), and how these risks might be mitigated, both by software vendors and end users.  

As an example during this presentation, I will be going through the details of a specific set of vulnerabilities in a widely-used HMI software product.  These vulnerabilities were disclosed to the vendor about 6 months ago, and this will be the first time that they will see public disclosure.  The problems are fundamental to the architecture of this product, easy to understand and follow, and serve as an excellent illustration of the points we’ll be discussing in this session :-) .

If you’re interested in how HMI software fits into SCADA security, a user or developer of HMI software looking for mitigation strategies, or a penetration tester looking for new ways of testing target systems, then I think this would be an interesting talk for you to attend at the Summit.  I’m going to try to keep things interactive with the attendees, and I think we’re going to have a lot of fun.

Get in touch with me if you plan on attending this talk!  I’d love to hear from you.  I’ll also have the slides posted here on my blog once the talk is over.

 

Over at the excellent ethicalhacker.net site, the results of the Santa Claus is Hacking to Town Skillz Challenge have been posted:

These challenges are a lot of fun, and educational as well.  Ed Skoudis puts a lot of effort into writing and judging them.  There’s a whole archive of previous challenges available here, and I highly recommend at least reading through, if not working through, some of the previous challenges.  

This time around, I managed to get an honorable mention for my entry!  I’m very happy with this.  I was unable to test the Windows-centric parts of my solution before I had to submit it and move on to real work, so that part wasn’t %100, but I did have a really solid way of getting netcat onto the web server via the command-injection-vulnerable script, and some nice netcat pivoting.  

Oh, and apparently I’m a security stud! :

We had entries from notable security studs like Wesley McGrew, Raul Siles, Ryan Linn, Mark Baggett, Zoher Anis, Paul Tartar, and others.

I might put “notable security stud” on some business cards, or maybe a button, now.

 

Marcus J. Carey has uploaded videos from January 8th’s DojoSec event to his Vimeo account here.  I just watched Dale Beauchamp’s talk, “Practitioner’s Guide to Capturing and Analysis of RAM”, and enjoyed it.  It’s definitely worth watching, especially if you’re coming at this from the perspective of an incident handler.  He presents a few Windows memory imaging tools that can be run on a live-and-logged-in system, but a lot of the analysis also applies if you’re dealing with images created by msramdmp in a cold boot attack.


Dale Beauchamp – DojoSec January 2009 from Marcus J. Carey on Vimeo.

 

I will be in attendance and talking at the SANS Process Control and SCADA Security Summit 2009, at the Walt Disney World Dolphin hotel.  I have been invited to take part in the keynote discussion panel on the topic of security issues surrounding the smart grid and Automated Metering Systems.  I’m in very good company on this panel, with three top-tier co-panelists:

I’m looking forward to discussing control system security with these guys, and I’ll try to keep up!.  I’m also going to be involved in an interactive workshop on the topic of wireless threats with Matt Carpenter later on in the first day.  If you’re looking for me outside of my talks, I’ll be attending as many other talks as possible, and trying to network with other penetration testers :) .

If any of my readers are going to be attending the summit, please get in touch with me!  I’d love to meet you, and would be happy to talk to you at length about my current SCADA security research interest: vulnerabilities in Human Machine Interface (HMI) products.

 

Yesterday, I took a lighthearted look at some of the Google searches people have used to arrive at this site.  I saved one of them for today, however, because it was enough fun to warrant its own post.  That search query is:

  • crackpal.com review

Well, I suppose I can give that a try.

What is crackpal.com?  It’s a service that promises to hack yahoo, hotmail, rediff, and google Email accounts.  Here’s what their website looks like, if it’s down by the time you read this:

You might remember that I’ve looked at a site similar to this in a previous post.  Here’s how things are supposed to go down, according to their site:

The proof takes the form of screenshots of inboxes, sample emails, contacts, or other personal information.

I decided to see how this would play out, assuming (correctly) that it would work much like the yourhackers.net scheme described in a previous post.  So, yesterday I filled out their order form, using my own yahoo email account as a target, from another account that I had created that is posing as someone who doesn’t like me very much:

This morning, in the wesleymcgrew@yahoo.com account I had a “surprise”!  Yay!

“Helo”?  What am I, an SMTP server?  As you might be able to imagine, I don’t know anyone named Jonathan Regon, and certainly not well enough to warrant “Luv and Regards”.  Let’s take a look at the link to the phishing site:

So, obviously the single “?wesleymcgrew” parameter sets the username.  If you punch in anything and Submit, you get forwarded along to a real 123greetings card:

Cute.

Back to the phishing site, what happens if we take the php filename out of the URL, going straight to the directory?

Neat, no directory protection or index.html/php, but not much of interest.  What if we go up a directory?

Now this looks more interesting.  What’s in Y.txt?

The phishing URL sent to me contained the directory name ending in “1003″.  That corresponds with the “1003″ line in Y.txt with the name “Jonathan Reagan”.  Sounds like the Jonathan “Regon” that emailed me.  These are the names being used in the phishing emails, and  each of the above directories contains links to greeting cards from these names.

The “/Y/” here stands for Yahoo.  There are similar directory structures on this site for “/H/” (Hotmail) and “/R/” (Rediff).  There is no “/G/” for Gmail, surprisingly, and no other single-letter directories (tried them all).

Who is 123newgreetings.com?  WHOIS shows all contacts as:

Registrant:

    123Greetings.com, Inc.

    Kajaria, Sharad        (greetings123name@yahoo.com)

    1674 Broadway

    Suite 403

    10019

    New York,10019

    US

    Tel. +001.9176036425

This is the exact same contact information as on the real 123greetings.com, with a different email and phone number.

Crackpal.com’s WHOIS information is set to its registrant’s (dynadot.com) private registration-by-proxy name and address.

I have fired off an abuse email to 123newgreetings.com’s host, eukhost.com, so it may be down soon.  Crackpal.com itself appears to be hosted in China, so I don’t hold out much hope for that going down. 

In conclusion:

 

Every night, Analog generates a summary of this site’s logs from the past seven days, and when I bother to check it, it’s an entertaining read.  My favorite part is the “Search Query Report”, which scrapes through my logs, pulling out the search terms people are using on Google (and other search engines) to get to my site.  I think it’s an interesting form of “pre-viewing feedback”, or, more clearly, a reflection of what people are expecting to see when they click a link to go to my site.

Today, I’ve decided to have a bit of fun, share a few of the funnier/more-interesting recent queries, and respond to them.  After all, it is my place to please my new readers ;) :

  • 0×000000 the hacker webzine dead
    • Is it?  It is down.  That’s a shame, I enjoyed reading the articles there, and hadn’t noticed that my RSS reader hasn’t picked up new posts since September.
  • script kiddies haven
    • That is exactly what you have found here at McGrewSecurity.com ;-)
  • personal password management
    • In an early post to this site, I discussed using Pwman3 with a hack I described to make it use pwgen as a password generator.  Nowadays, however, I highly recommend KeePassX.  It works great on OS X, Windows, and Linux.
  • describe ram images
    • Well, I’ll give it a shot:  A RAM image would be a byte-for-byte copy of the contents of RAM at some point in time.  A snapshot in time, if you will.  It’s likely to contain code and data (such as text, images, and even passwords) that were in memory at the time of the image-taking.  You can make one yourself with one of my tools, msramdmp, now that you understand what you are creating.
  • trend micro boycott
  • sans security training rapidshare links, (among other searches for pirated SANS materials)
    • Oooh naughty naughty.  I know it must be expensive to travel to SANS conferences from Saudi Arabia, but perhaps you could do the @Home options.
  • how can i dig up root fs on runescape
  • how to make a runescape phisher
    • I get a lot of search hits from people who are looking for phishing kits. Are these things really that hard to make?  I don’t think so.  A lot of the ones that are out there and available to download also secretly shuffle off the passwords to hurr_ima_hacker@yahoo.com as well.  Phishers phishing phishers.
  • yousif yalda docs
    • A lot of searches like this.  There’s no shortage of people out there mad at this guy.  If you’re new here, you can have some laughs here, here, and here.

This was fun to put together, so I’ll do it again sometime when I gather up more of these interesting search terms.

 

My wife has discovered just how much money she can save shopping for our groceries using all of the coupons she has found online.  There are entire communities of people who follow and report on the deals you can find.  The only problem for her has been that many of the coupons she has found require a special application by the coupon.com folks.  The application is Windows/OS X only, and she runs Ubuntu.

Since I’m the one with the MacBook, it has become my duty to print the coupons that she forwards along to me.  I was happy to see there was an OS X version of the app, and installed it, only to find out the following:

Well that’s sort of annoying.  It just sends the job right off to the default printer, without asking about anything beforehand.  What’s worse for me is that it won’t “print” to a “graphic format like a PDF”.  A large percentage of my time, I’m not on a network with a printer, so I typically print things to postscript (.ps) files (bravo to Apple for building this into the OS and making it so easy).  When I want the hardcopies, I just tar them up and send them to a shell account on a server where I do have access to a printer.

Since this app doesn’t give me the usual printing dialog box with the option to “print to .ps”, I just had to hack together something.  I created a new printer in “System Preferences”->”Print & Fax”, with the following settings:

I then set this as my default printer.  Next, I set up a netcat listener to listen on the JetDirect port (9100), wait for a print job, and dump the incoming postscript to a file:

nc -l 9100 > output.ps

Once netcat is running and listening, you can print to the printer that you set up, and the result is a postscript file that you can then view, convert, print, etc.  It’s a pretty simple and painless procedure, if you’re dealing with an app that doesn’t play nicely with the printer dialog box.

 

The 25th Chaos Communication Congress (25C3) took place in Berlin at the very end of December, and definitely had more than its fair share of interesting-looking talks.  Luckily, for those of us who were not able to go to Germany for this conference, videos of the talks have been made available a lot sooner than most conferences manage.  The main page for conference recordings is available here:

At the current time, many talks are not available in the official releases.  There are unofficial recordings of the streams that have talks that are not yet in the official release directories:

The mirror at http://mirror.informatik.uni-mannheim.de/pub/ccc/streamdump/ seems to have the best speed for me at the moment, despite being on the other side of the pond.  Unfortunately, the stream recordings are also missing part of day 4 of the conference, which even more unfortunately means that they are missing Applebaum and Sotirov’s talk, MD5 Considered Harmful Today, which has drawn a lot of attention over the past week.  Hopefully the releases of official videos will continue, and include this and some of the other missing talks.

There’s plenty to keep you interested while you wait, though.  Here’s a couple of tips to help you understand the bare directory structures of the mirrors, if you don’t pick it up from context:

  • “Saal” is German for “hall”, or “large room”. 
  • “Tag” is German for “day”.

…and that’s about as far as my German skills go.  You’re on your own for the German-language talks :)

© 2012 McGrew Security Suffusion theme by Sayontan Sinha