Lastly, while it isn’t official, I am pretty sure nUbuntu is dead…  On that note, it was fun and thanks to everyone involved.

Cheers.

“The National Security Agency had access to all Americans’ communications — faxes, phone calls, and their computer communications,” Tice claimed. “It didn’t matter whether you were in Kansas, in the middle of the country, and you never made foreign communications at all. They monitored all communications.”

Tice further explained that “even for the NSA it’s impossible to literally collect all communications. … What was done was sort of an ability to look at the metadata … and ferret that information to determine what communications would ultimately be collected.”

Go on you say?  Read more here

Looks like all you TOR lovers aren’t as safe as you thought! ; )

Hello Childrens!

So it’s been a long while and as I still have people viewing this blog despite the spell of inactivity, I thought it might be best to give any of the regulars an update.

I’ve been pretty busy since I took a new job as a system administrator/in-house security guy but I am really enjoying my job.  I get a fair amount of freedom to “play,” with my security hobbies in the name of work and at the same time, learn a lot from an administrator’s point of view rather than just an attacker.  Recently we began testing a new IDS/IPS and I was more or less put in charge of auditing it and seeing how well it would perform.  My initial impression was that it was simplified enough to provide information directly to the user with no bullshit in between but this impression was given before I had enough time to actually probe the application.  As it turns out, during this testing (in less than 24 hours) 2 zero day vulnerabilities were discovered.  The first vulnerability is one which allows a remote attacker to inject arbitrary data into the hosts list of the application.  This was initially discovered during some automated exploit testing to see how it reported, what it picked up, etc.  After the test(s) concluded, I went to check the logs and noticed that I had some massive Unicode strings under the hosts list.  After examining this further, this string looked like the payload of a buffer overflow.  Based upon this, it became apparent that an attacker could add any information to the hosts list for this particular IDS.  I have also been working to find out if this attack can be leveraged to remove hosts from the list but as of yet, I have not had enough time.

The second 0 day which kind of piggybacks off of the first results DoS condition on the database the IDPS uses or at least its search function.  If you inject 5 of these unicode strings into the target monitoring list, the search function never completes.  That’s right, if you add 5 of these strings, click search, the database hangs and the search never completes rendering the program’s only reporting interface for Linux (the web interface) completely useless.

Both of these exploits can be accomplished remotely, with no authentication required, having no knowledge of anything on the target system.  All you need to do is launch this at the IP and it automagically works.

This is particularly disappointing as I was finally starting to like this product more for mass-deployment but this has proved to be a major setback regarding the amount of faith I was willing to put in this application.   For the time being, as I am not an advocate of any disclosure methods, the product and vendor will remain unnamed.  I am working in conjunction with the vendor to patch these issues so that maybe there is still hope for deploying the product but at this point, it is entirely too difficult to tell.

On a final note I am working on my term paper which deals with buffer overflows, polymorphic shellcode and IDS evasion and it will probably be awesome, just like everything else I write.  Maybe I can make it less formal and turn it into a posting series or maybe I can make it too complicated to follow and call it a whitepaper.  I am thinking to go with the first option.

That’s about all I have for now.  Have a great weekend and don’t do anything too stupid.

Below is a list of new tools which I/we hope to have implemented in the next beta/alpha release.

-W3af

- BlindCrawl for forward bruteforce DNS

- SPIKE

-Inguma and it’s openDis and Krash fuzzing components.

-Ettercap GTK GUI

-Immunity Debugger (might be a WiNE nightmare)

-Lynis

-Paros Proxy

-BurpSuite

-ProxyStrike

-IKE-scan

-Hydra/xHydra

-ASP.NET application scanner

-DNS Predict for DNS enumeration

-Firetester

-Pantera

-MaltegoCE

-DirBuster

And more will come up as we think of them.  There are a lot of great tools listed above but there a lot more to be added of course!  If you can think of any that have not been listed that you find particularly useful, feel free to leave a comment and it will definitely be taken into consideration.

On a final note we could also use a mirror to help us with snapshot releases so if anyone wants to donate some bandwidth please leave a comment as your assistance would be greatly appreciated in the growth of this project.

Stay classy!

What is nUbuntu you ask? Well I am glad you asked. Per the words of the site:

The main goal of nUbuntu is to create a distribution which is derived from the Ubuntu distribution, and add packages related to security testing, and remove unneeded packages, such as Gnome, Openoffice.org, and Evolution. nUbuntu is the result of an idea two people had to create a new distribution for the learning experience. Many people ask, “What makes it better than X?”, or “Why should I use this over Y”. Our answer to this question is, we do not think about whether people are using it or not. We are more concerned about the learning process. If you want to try something with a clean interface, fast, and an excellent range of programs please don’t hesitate to download nUbuntu.

Last night I downloaded the .iso and needless to say I am very impressed.

It should be noted that nUbuntu was originally released as a stripped down version of 6.10 and has since been pretty dormant. Recently the project was resurrected from the depths of FOSS abandonment and looks to be making a strong comeback. The 8.04 release is still in alpha and as with any alpha release, there is a lot of work to be done but so far the included utilities are off to a fantastic start.

Even as a liveCD in a VirtualBox, nUbuntu performs quickly and is terribly responsive. The tools, while not all complete and/or fully implemented (it’s alpha!) really do a great job of demonstrating just how flexible and useful this distro aims to be. While I could go on about the utilities and what it includes, the screenshots do a pretty fantastic job of that for me so take a look and see what it has to offer.

One last thing before we conclude todays episode of excitement, I often get the feeling like a lot of people in the community just want awesome tools without having to do much work which is not the spirit of community-based development. Rather than preach about the merits of contributing I will simply say this: download it, break it, improve it, donate it, make suggestions and help us give you a better tool to work with.

Open source is sexy and so are you.

Bank of New York Mellon Corp. officials last week confirmed that a box of unencrypted data storage tapes holding personal information of more than 4.5 million individuals was lost more than three months ago by a third-party vendor during transport to an off-site facility.

I wish I had a more eloquent way to say this, but what the hell?
The first thing that came to my mind was whether or not the data was encrypted. Sure enough, “It contended that none of the unencrypted data has been accessed or used.” This brings me back to my first point of “what the hell?”
As it stands, computing power is greater than those in the past had previously envisioned and as a result, it has increased the speed and effeciency at which data can be encrypted. With this in mind, why are huge corporations still not protecting their data?

The Hong Kong branch of banking giant Hongkong and Shanghai Banking Corporation Limited (HSBC) has lost a computer server with client data involving about 159,000 accounts, the bank confirmed on Wednesday. Source

But wait, there’s more!

An Internal Revenue Service employee lost an agency laptop early last month that contained sensitive personal information on 291 workers and job applicants, a spokesman said yesterday.

The IRS’s Terry L. Lemons said the employee checked the laptop as luggage aboard a commercial flight while traveling to a job fair and never saw it again. The computer contained unencrypted names, birth dates, Social Security numbers and fingerprints of the employees and applicants, Lemons said. Source

I can accept and understand that laptops and hard drives get lost or stolen. While having lost them is more inexcusable than being stolen, let’s be honest, sometimes stuff just happens. However, losing an entire server, that is quite an achievement.

It worries me that those who we trust to protect our personal information and data can so easily lose it. Beyond simply losing it, the fact that it is unencrypted and thus unprotected makes matters exponentially worse. With the technology and resources we have, there is absolutely no reason these cryptographic safeguards are not put into place. If people cannot guarantee the physical safety of the data (and we all know in the business of infosec there are no guarantees) they need to take certain measures which so far, appear to be frighteningly far down on the list of priorities.

That was probably the best image I could have possibly found for this post, and yes, at Defcon, everyone dies. On that note…

As the title implies, Defcon 16 is coming up in August and it will no doubt follow its pattern of continuing to improve. So far the speaker list is looking very impressive and while I will not be able to attend, I am looking forward to seeing some of the videos that will no doubt be released shortly after the conference concludes.

Moving a long but still keeping Defcon in mind, I’d like to take a minute to recap some of my favorite talks from last year’s Defcon.

Johnny Long’s “No Tech Hacking”

H.D. Moore and Val Smith on “Tactical Exploitation”

And last but far from least, Dan Kaminsky on Reviewing the Web

Before we conclude today’s awesomeness, I would like to mention that due to time constraints I have been unable to really put together a solid tutorial similar to my Burp Proxy tutorial or fuzzing with Krash and for that I apologize. In the mean time I will be trying to keep the site updated with some of the day’s breaking network and information security news/articles/opinions/whatevers.

Take care.

P.S. Nice find from Dave Lewis here.

I had thought about detailing the Debian OpenSSL problems that a lot of us have been reading about but in case you missed it, H.D. Moore already did an incredible job on it.

On May 13th, 2008 the Debian project announced that Luciano Bello found an interesting vulnerability in the OpenSSL package they were distributing. The bug in question was caused by the removal of the following line of code from md_rand.c

MD_Update(&m,buf,j);
[ .. ]
MD_Update(&m,buf,j); /* purify complains */

These lines were removed because they caused the Valgrind and Purify tools to produce warnings about the use of uninitialized data in any code that was linked to OpenSSL. You can see one such report to the OpenSSL team here. Removing this code has the side effect of crippling the seeding process for the OpenSSL PRNG. Instead of mixing in random data for the initial seed, the only “random” value that was used was the current process ID. On the Linux platform, the default maximum process ID is 32,768, resulting in a very small number of seed values being used for all PRNG operations.

To view his entry and input on the topic, click here.

In the mean time, play with w3af. It’s fun for the whole family!

GNUCITIZEN
GNUCitizen is a fantastic security blog and a site based around the hacker lifestyle. They recently got some big attention regarding some Quicktime 0 day exploit but beyond that, it’s just good wholesome reading for the whole family.

Liquid Matrix Security Digest
This is the personal blog of security researcher Dave Lewis. This is, without a doubt, on my list of top 5 blogs. It is also the place where I first read about one of my newest and most favorite terms, cyberdouchery.

Dark Reading Room
The Dark Reading Room is a slick site which provides frequent updates on security articles and hacker activity. It is also a great place to get lost catching up on old happenings you might have missed and put a bit more content into your security repertoire. (yea, we just Frenchified this blog, and no, I have no clue if that is a real word)

That’s really about all for now. Hopefully I will be done with this semester incredibly fast and I look forward to doing some more tutorials. If anyone has any suggestions for some material they would like to see covered, feel free to leave a comment as I enjoy hearing from readers.

Stay classy internet!

The more an intrusion detection system (IDS) knows about the network it is trying to protect, the better it will be able to protect the network. This is the fundamental principle behind target-based intrusion detection, where an IDS knows about the hosts on the network.

And that is exactly what is discussed. Why post this? I feel that it is an excellent resource which can help beginners understand how an IDS does what it does and gives some tips for people that might be pros.

Be sure to check it out in its entirety. Part 1 Part 2.