And what’s the time?

I can understand why things like this make the news, but really, at this point, why is anyone surprised?

“The National Security Agency had access to all Americans’ communications — faxes, phone calls, and their computer communications,” Tice claimed. “It didn’t matter whether you were in Kansas, in the middle of the country, and you never made foreign communications at all. They monitored all communications.”

Tice further explained that “even for the NSA it’s impossible to literally collect all communications. … What was done was sort of an ability to look at the metadata … and ferret that information to determine what communications would ultimately be collected.”

Go on you say?  Read more here

Looks like all you TOR lovers aren’t as safe as you thought! ; )

It seems strange to me that the new trend to display your abilities as a serious security researcher is your ability to blog. For example, security firms and independent contractors are seeing a big push to actively blog as it is perceived as a boost their credibility.

Now, I can understand the reasoning behind this but in all honesty, a majority of the security blogs aren’t really covering any groundbreaking stuff and those that are, have mostly already secured their position as an authoritative entity within the security community.

I guess what I am trying to say is that even if you mean “serious business,” chances are that your blog sucks. Don’t feel bad, this also means my blog sucks but I try and keep it spicy around here where yours is old and busted.

It should be noted that this post really has no substance but I need to keep my blog skills up to substantiate my credibility and if this blog isn’t credible, I don’t know what is.

Hello Childrens!

So it’s been a long while and as I still have people viewing this blog despite the spell of inactivity, I thought it might be best to give any of the regulars an update.

I’ve been pretty busy since I took a new job as a system administrator/in-house security guy but I am really enjoying my job.  I get a fair amount of freedom to “play,” with my security hobbies in the name of work and at the same time, learn a lot from an administrator’s point of view rather than just an attacker.  Recently we began testing a new IDS/IPS and I was more or less put in charge of auditing it and seeing how well it would perform.  My initial impression was that it was simplified enough to provide information directly to the user with no bullshit in between but this impression was given before I had enough time to actually probe the application.  As it turns out, during this testing (in less than 24 hours) 2 zero day vulnerabilities were discovered.  The first vulnerability is one which allows a remote attacker to inject arbitrary data into the hosts list of the application.  This was initially discovered during some automated exploit testing to see how it reported, what it picked up, etc.  After the test(s) concluded, I went to check the logs and noticed that I had some massive Unicode strings under the hosts list.  After examining this further, this string looked like the payload of a buffer overflow.  Based upon this, it became apparent that an attacker could add any information to the hosts list for this particular IDS.  I have also been working to find out if this attack can be leveraged to remove hosts from the list but as of yet, I have not had enough time.

The second 0 day which kind of piggybacks off of the first results DoS condition on the database the IDPS uses or at least its search function.  If you inject 5 of these unicode strings into the target monitoring list, the search function never completes.  That’s right, if you add 5 of these strings, click search, the database hangs and the search never completes rendering the program’s only reporting interface for Linux (the web interface) completely useless.

Both of these exploits can be accomplished remotely, with no authentication required, having no knowledge of anything on the target system.  All you need to do is launch this shit at the IP and it automagically works.

This is particularly disappointing as I was finally starting to like this product more for mass-deployment but this has proved to be a major setback regarding the amount of faith I was willing to put in this application.   For the time being, as I am not an advocate of any disclosure methods, the product and vendor will remain unnamed.  I am working in conjunction with the vendor to patch these issues so that maybe there is still hope for deploying the product but at this point, it is entirely too difficult to tell.

On a final note I am working on my term paper which deals with buffer overflows, polymorphic shellcode and IDS evasion and it will probably be awesome, just like everything else I write.  Maybe I can make it less formal and turn it into a posting series or maybe I can make it too complicated to follow and call it a whitepaper.  I am thinking to go with the first option.

That’s about all I have for now.  Have a great weekend and don’t do anything too stupid.

Per my last post, I have been pretty involved in a the nUbuntu project and I would like to poll the community and readers of this blog for suggestions.

Below is a list of new tools which I/we hope to have implemented in the next beta/alpha release.

-W3af

- BlindCrawl for forward bruteforce DNS

- SPIKE

-Inguma and it’s openDis and Krash fuzzing components.

-Ettercap GTK GUI

-Immunity Debugger (might be a WiNE nightmare)

-Lynis

-Paros Proxy

-BurpSuite

-ProxyStrike

-IKE-scan

-Hydra/xHydra

-ASP.NET application scanner

-DNS Predict for DNS enumeration

-Firetester

-Pantera

-MaltegoCE

-DirBuster

And more will come up as we think of them.  There are a lot of great tools listed above but there a lot more to be added of course!  If you can think of any that have not been listed that you find particularly useful, feel free to leave a comment and it will definitely be taken into consideration.

On a final note we could also use a mirror to help us with snapshot releases so if anyone wants to donate some bandwidth please leave a comment as your assistance would be greatly appreciated in the growth of this project.

Stay classy!

Well it’s been quite some time since I updated this blog and to those that keep checking back, my apologies and appreciation. Things have been hectic this summer but there are a lot of cool projects underway. Inguma will (hopefully) have another release sometime in the near future with some awesome modules and exploits but unfortunately I can’t get into details on that. However, I can go into details on another new project which has recently caught my eye, nUbuntu!

What is nUbuntu you ask? Well I am glad you asked. Per the words of the site:

The main goal of nUbuntu is to create a distribution which is derived from the Ubuntu distribution, and add packages related to security testing, and remove unneeded packages, such as Gnome, Openoffice.org, and Evolution. nUbuntu is the result of an idea two people had to create a new distribution for the learning experience. Many people ask, “What makes it better than X?”, or “Why should I use this over Y”. Our answer to this question is, we do not think about whether people are using it or not. We are more concerned about the learning process. If you want to try something with a clean interface, fast, and an excellent range of programs please don’t hesitate to download nUbuntu.

Last night I downloaded the .iso and needless to say I am very impressed.

It should be noted that nUbuntu was originally released as a stripped down version of 6.10 and has since been pretty dormant. Recently the project was resurrected from the depths of FOSS abandonment and looks to be making a strong comeback. The 8.04 release is still in alpha and as with any alpha release, there is a lot of work to be done but so far the included utilities are off to a fantastic start.

Even as a liveCD in a VirtualBox, nUbuntu performs quickly and is terribly responsive. The tools, while not all complete and/or fully implemented (it’s alpha!) really do a great job of demonstrating just how flexible and useful this distro aims to be. While I could go on about the utilities and what it includes, the screenshots do a pretty fantastic job of that for me so take a look and see what it has to offer.

One last thing before we conclude todays episode of excitement, I often get the feeling like a lot of people in the community just want awesome tools without having to do much work which is not the spirit of community-based development. Rather than preach about the merits of contributing I will simply say this: download it, break it, improve it, donate it, make suggestions and help us give you a better tool to work with.

Open source is sexy and so are you.

In this day and age when people fear for their identity and personal information to a greater extent than ever before, you would think the encryption of such data would be a priority that is without parallel. Unfortunately this is not the case. It seems like every time I check my RSS feeds there is always a story about some corporation who posesses a fantastic ability to completely ignore the privacy of the people who keep them in business. Case in point:

Bank of New York Mellon Corp. officials last week confirmed that a box of unencrypted data storage tapes holding personal information of more than 4.5 million individuals was lost more than three months ago by a third-party vendor during transport to an off-site facility.

I wish I had a more eloquent way to say this, but what the hell?
The first thing that came to my mind was whether or not the data was encrypted. Sure enough, “It contended that none of the unencrypted data has been accessed or used.” This brings me back to my first point of “what the hell?”
As it stands, computing power is greater than those in the past had previously envisioned and as a result, it has increased the speed and effeciency at which data can be encrypted. With this in mind, why are huge corporations still not protecting their data?

The Hong Kong branch of banking giant Hongkong and Shanghai Banking Corporation Limited (HSBC) has lost a computer server with client data involving about 159,000 accounts, the bank confirmed on Wednesday. Source

But wait, there’s more!

An Internal Revenue Service employee lost an agency laptop early last month that contained sensitive personal information on 291 workers and job applicants, a spokesman said yesterday.

The IRS’s Terry L. Lemons said the employee checked the laptop as luggage aboard a commercial flight while traveling to a job fair and never saw it again. The computer contained unencrypted names, birth dates, Social Security numbers and fingerprints of the employees and applicants, Lemons said. Source

I can accept and understand that laptops and hard drives get lost or stolen. While having lost them is more inexcusable than being stolen, let’s be honest, sometimes stuff just happens. However, losing an entire server, that is quite an achievement.

It worries me that those who we trust to protect our personal information and data can so easily lose it. Beyond simply losing it, the fact that it is unencrypted and thus unprotected makes matters exponentially worse. With the technology and resources we have, there is absolutely no reason these cryptographic safeguards are not put into place. If people cannot guarantee the physical safety of the data (and we all know in the business of infosec there are no guarantees) they need to take certain measures which so far, appear to be frighteningly far down on the list of priorities.

That was probably the best image I could have possibly found for this post, and yes, at Defcon, everyone dies. On that note…

As the title implies, Defcon 16 is coming up in August and it will no doubt follow its pattern of continuing to improve. So far the speaker list is looking very impressive and while I will not be able to attend, I am looking forward to seeing some of the videos that will no doubt be released shortly after the conference concludes.

Moving a long but still keeping Defcon in mind, I’d like to take a minute to recap some of my favorite talks from last year’s Defcon.

Johnny Long’s “No Tech Hacking”

H.D. Moore and Val Smith on “Tactical Exploitation”

And last but far from least, Dan Kaminsky on Reviewing the Web

Before we conclude today’s awesomeness, I would like to mention that due to time constraints I have been unable to really put together a solid tutorial similar to my Burp Proxy tutorial or fuzzing with Krash and for that I apologize. In the mean time I will be trying to keep the site updated with some of the day’s breaking network and information security news/articles/opinions/whatevers.

Take care.

P.S. Nice find from Dave Lewis here.

I’ve been bad about updating. Things have been busy but hopefully I can work up something cool this coming week.

I had thought about detailing the Debian OpenSSL problems that a lot of us have been reading about but in case you missed it, H.D. Moore already did an incredible job on it.

On May 13th, 2008 the Debian project announced that Luciano Bello found an interesting vulnerability in the OpenSSL package they were distributing. The bug in question was caused by the removal of the following line of code from md_rand.c

MD_Update(&m,buf,j);
[ .. ]
MD_Update(&m,buf,j); /* purify complains */

These lines were removed because they caused the Valgrind and Purify tools to produce warnings about the use of uninitialized data in any code that was linked to OpenSSL. You can see one such report to the OpenSSL team here. Removing this code has the side effect of crippling the seeding process for the OpenSSL PRNG. Instead of mixing in random data for the initial seed, the only “random” value that was used was the current process ID. On the Linux platform, the default maximum process ID is 32,768, resulting in a very small number of seed values being used for all PRNG operations.

To view his entry and input on the topic, click here.

In the mean time, play with w3af. It’s fun for the whole family!

So while I head into crunchtime a.k.a., last 2 weeks of classes, there won’t be any super sweet posts here. Make no mistake, every word I author is super sweet, but the content won’t be as major as previous entries. In the mean time, I’d like those who frequent my blog to be sure and check out some other awesome security sites that you may not be familiar with.

GNUCITIZEN
GNUCitizen is a fantastic security blog and a site based around the hacker lifestyle. They recently got some big attention regarding some Quicktime 0 day exploit but beyond that, it’s just good wholesome reading for the whole family.

Liquid Matrix Security Digest
This is the personal blog of security researcher Dave Lewis. This is, without a doubt, on my list of top 5 blogs. It is also the place where I first read about one of my newest and most favorite terms, cyberdouchery.

Dark Reading Room
The Dark Reading Room is a slick site which provides frequent updates on security articles and hacker activity. It is also a great place to get lost catching up on old happenings you might have missed and put a bit more content into your security repertoire. (yea, we just Frenchified this blog, and no, I have no clue if that is a real word)

That’s really about all for now. Hopefully I will be done with this semester incredibly fast and I look forward to doing some more tutorials. If anyone has any suggestions for some material they would like to see covered, feel free to leave a comment as I enjoy hearing from readers.

Stay classy internet!