The startup VoIPShield is changing its disclosure policy to stop giving out VoIP bugs for free and start charging vendors for it. CEO Rick Dalmazzi writes:

Avaya doesn’t “have to” pay us for anything. We do not “require” payment from you. It’s Avaya’s choice if you want to acquire the results of years of work by VoIPshield. It’s a business decision that your company will have to make. VoIPshield has made a business decision to not give away that work for free.

I can totally see his point. While we would like to see all vulnerabilities out in the open, for free, companies and researchers that have worked hard to find security vulnerabilities should be compensated.

But I do think Rick is taking the long and hard path by asking the vendors directly - there’s still a long way to go there. We’ve been helping researchers sell their research to organizations who wanted to pay for 0-day vulnerability information through our SSD (SecuriTeam Secure Disclosure) program and the main conclusions so far are that there are organizations willing to pay for this information to protect themselves, but those are not the vendors (yet).

What we see is that organizations use this information as leverage on the vendors. Since they have information about undisclosed vulnerabilities, they can easily exercise this (better than we can, as researchers) to force the vendors to plug those holes. After a while, maybe vendors will choose to drink upstream and subscribe for this information. But that may take a while (a friend of mine that is responsible for product security for a very large vendor says that will be a cold day in hell).
In any case, good luck to VoIPShield and their new paid-disclosure program. If they are successful I think security researchers will benefit, and in the long run customers will be more protected as vendors get direct access to zero-day vulnerabilities.

Somebody had to do it, and I’m glad it’s Aviv Raff who finally went for it. This is just the first of what I’m sure will be many twitter-related vulnerabilities.
There’s a lot to check in twitter, and I’m sure this will be an interesting month. While Aviv is bringing home the meat, here’s a question to ask yourself in the meantime: How many web services have your twitter password? More than 5? More than 10? How many of them are still active and what happens if one of them goes bankrupt and sells the list to someone?

Update: apparently this was fixed after a few hours. The power of “Month of Bugs” I guess.

A few years ago, the personal blog of the Iran president Ahmadinejad included a special piece of malware code that would only be displayed for Israeli IP addresses, attempting to infect Israeli machines visiting the site while preserving a seemingly harmless appearance for any western visitor that is not an Israeli. I thought that was quite a clever attack at the time.
But now the Iraqis are flexing their cyber-muscles too. According to a Hebrew article in law.co.il (this is not yet available on their English site, but may be soon), several domain names of Israeli government entities and large Israeli institutions have been registered by users outside Israel, some users having addresses in Iraq.

These domains use names with Hebrew characters, which are now available under the IDN. However, the method of typing Hebrew domain names is not in wide use and companies still prefer the English domains with the .il or .com suffix, which is why those Hebrew domains were available for purchase. Some of the domain names that were purchased include the Mossad, the Shabak (the “Shin Bet”), the IDF, Israel Police, Knesset, and several major banks.

Since the domain name is in Hebrew and contains the full name of the company or institution, it is incredibly useful for phishing attacks. law.co.il traced many of the domain names, particularly those of major ministries and public service names to a company called “ICU Agency” with a registered address in Baghdad. I’m sure there are other clever uses for such domains in war time that exceed simple phishing. With the speed in which news travel on the Internet these days, it shouldn’t be difficult to do some psychological warefare if you own “credible” domain names.

I saw a demo of Green SQL today, and during the demo Yuli showed me a cute sql-injection method for mysql that I’ve never seen before.

This will evade some IDS’s and is also a good reply for the web development if they tell you filtering the words “OR” and “AND” is enough as a generic SQL-injection protection.
It’s not “new”, but it was new to me. The idea is to place two equal signs inside the query so that the query becomes:

SELECT * FROM users WHERE column=’b’=’c’

More information and a very detailed explanation here. It seems to be specific to mysql.

Over the past few days, both the Vancouver Sun and the Ottawa Citizen have published (basically the same) story about “Toronto-based Ancestry.ca.”  From the articles, this appears to be related to such public institutions as the national archive and Library and Archives Canada.  And the price is right: “A two-week free trial period that began June 10 allows users to search for and download documents at no charge.”

I tried it out.  Giving minimal information about him brought up over 6,000 hits, the second of which was my grandparent’s marriage certificate.  Pretty good.

Unfortunately, that is not the whole story.  If you want to actually see anything that the search finds, you have to register.  And, if you pay attention, and actually read the “Terms and Conditions” (and look at the full screen, not the portion that shows when the box first pops up), you find that you are registering with “an Internet service (the “Service”) owned and operated by The Generations Network, Inc, an American company incorporated in Delaware, USA, and whose registered address is 360 W 4800 N Provo, UT 84604, USA.”  In order to register you have to provide a credit card.  After 14 days (and it isn’t clear whether that is 14 days after June 10, or 14 days after you register) “[i]f you wish to terminate your subscription you must notify us at least two (2) days before the Renewal Date by calling (800) 958-9073 Member service is available from Monday to Friday 7:00 am to 4:00 pm MST, or by sending an email to cancel@ancestry.ca providing the following information: Given name and surname, Username, Subscription type (UK/Ireland collection, etc.), Email address used when subscribing, Phone number including country code, Country.  If you fail to respond to the notice, your subscription will be automatically renewed,” and, of course, your credit card will be charged.

So, read carefully, people.  Are you dealing with a public institution, or a private company?  Are you dealing with a company in your country, or another?  And, is your “free trial” an “opt-out” contract for the company to start billing your credit card?

0x01 Introduction
0x02 Phrack Prophile on The PaX Team
0x03 Phrack World News
0x04 Abusing the Objective C runtime
0x05 Backdooring Juniper Firewalls
0x06 Exploiting DLmalloc frees in 2009
0x07 Persistent BIOS infection
0x08 Exploiting UMA : FreeBSD kernel heap exploits
0x09 Exploiting TCP Persist Timer Infiniteness
0x0A Malloc Des-Maleficarum
0x0B A Real SMM Rootkit
0x0C Alphanumeric RISC ARM Shellcode
0x0D Power cell buffer overflow
0x0E Binary Mangling with Radare
0x0F Linux Kernel Heap Tempering Detection
0x10 Developing MacOSX Rootkits
0x11 How close are they of hacking your brain ?

You can check it out here.

Now we have something to keep us busy while the net neutrality debates are going on…

Following on from the previous 2 posts that have been put up here and here, after seeing the post about the T-Mobile hack on Full-Disclosure, and then T-Mobile admitting that it has happened, really got me thinking.

To the best of my knowledge this will be the third high profile security breach at T-Mobile in the last 4 years, the first one being Paris Hilton’s SideKick getting hacked. Now the SideKick episode was more down to user error that T-Mobile’s fault, but this one could have been prevented by using strong password complexity rules. Which I thought was something that most major organizations would have already picked up on by now, especially the big corporates. Password complexity is not complicated to implement, and it does tend to prevent these little things like brand damage from occurring.
Speaking of brand damage, now that T-Mobile have been hit a second time, where does this leave them with Companies such as Google and Apple?

T-Mobile is currently doing really well with the addition of the Google Android and Apple iPhone handsets to its portfolio, but do Google and Apple really need this sort of publicity? These are the types of incidents that make companies think twice about their partnerships.

I’m completely aware that these type of incidents happen all the time, but most people expect that mobile operators would have stronger security measures in place.

Couple this with the fact that at present T-Mobile is gearing up for a class action law suite due to charging customers termination costs, this is another company that has me wondering how long….

The T-mobile data breach that jbrown wrote about has been confirmed by T-Mobile.
I guess not everything you read on Full Disclosure is fake after all…

From the looks of it, T-Mobile has been hacked and the goods stolen.

They also seem to love running HP-UX.

The swine flu craze in Asia is almost becoming ridiculous. Flying into Beijing a doctor came on board to check everyone’s temperature before they would let us out of the plane. Before passing immigration we were checked again and filled in forms to prove we are all in top health.

Ironically, on the inbound flight to Beijing I caught the flu from the Chinese girl sitting next to me (I’m talking about the regular flu. No need to call an emergency medical team on me). I spent the week gobbling Chinese medicine herbs which did a great job in preventing me from crashing sick. But the problem is that I am about to fly out back to San Francisco through Tokyo, and I’m trying to think how to convince the Narita officials that my germs are pure and genuine Asian bodies and are were not carried with me from any American pigs (political innuendos not intended).

It seems I’m also a carrier of something else, and again it’s not my fault. All I did was connect my USB stick to a computer on the business center in my Beijing hotel. I just wanted to print a document but didn’t bother locking the stick to ‘read only’. Apparently that was enough to have a Trojan infect the USB stick from the malware infested public computer.

Not that it would matter, really, since my machine runs Ubuntu. In fact, I wouldn’t have noticed it unless someone that borrowed the USB stick from me showed me the Virus warning that popped up as they plugged the stick into their Windows machine. I could have infected dozens of machines by the time I found out about it – all those poor Windows machine, Trojaned just for borrowing my USB stick; I really don’t need that on my conscience.

Once I know the Trojan is there, the cleanup is easy, I will ‘rm’ the files and the stick will be healthy again and stop be a carrier for defenseless Windows machines. Now if only it was that easy to recover from this damn flu.

Open Security Foundation’s DataLossDB has announced the winners of oldest incident contest.

One of the oldest documented issue is TRW incident from 1984, when the database of credit history of 90 million American citizen was breached.
Link here.

Update: The winner is an incident from August 1953, when SSN’s were lost.

OK, this has got nothing to do with computers (except that the SkyTrain is completely automated).

For the past three years, Cambie Street, a major thoroughfare with at least four different shopping and business areas on it, has been almost completely shut down for the construction of the RAV (Richmond-Airport-Vancouver) SkyTrain line (aka Canada Line).  (Since it is located almost dead centre in Vancouver, the city has been pretty much bisected for that time, and the traffic hassles have been enormous.)  Originally the line was supposed to be a tunnel, but that was going to take too long and cost too much, so they dug up the entire street.  For three years.

Most of the businesses along Cambie have gone bankrupt in that time: others have moved.

Now a lawsuit for damages has been won by a business owner.

This will, of course be a precedent, and will undoubtedly lead to more judgements (I think other cases are already before the courts) and more lawsuits.

I’ve got to admit to an uncharitable glee over this turn of events.  The RAV line was not prompted, but the decision to actually build it was undoubtedly influenced, by the 2010 Olympics.  The provincial government has been absolutely gaga over having the games here, and has launched a number of “vanity” projects and other measures.  (Latest on the list: for the games, security personnel won’t have to undergo the minimal training and licencing that already exists.  They can get a special certificate which seems to merely verify that they are breathing.)

According to ITWorldCanada, C-level executives are pushing for greater access to social networking sites and facilities, while even IT managers and security specialists are unprepared to deal with the full range of risks from this type of activity.

In order to get some traction with senior management on this issue, you might want to remind them that, when they take off with funds they’ve obtained via fraud, it’s best not to post boasts on Facebook.

It must be the 90s again. Nirvana is on the radio, and people are finding remotely exploitable WebDAV vulnerabilities. Using unicode encoding no less - the choice of a new generation. A note to Microsoft: in the 21st century we have this new thing called “a fuzzer”. You might want to google for ‘bestorm’ or ask the SDL team about the general concept.

Another 90s thing is to publish a critical exploit without going through a broker to get paid for it (or waiting for a hacking contest). Don’t get me wrong - we offer both options: the publish your exploits for free, and publish your exploits for profit routes are both open to you. Personally - if you go on the full disclosure path more power to you, but I have to admit nowadays it’s as rare as hearing Nirvana on the radio.

Now I hear there’s a new browser out there nicknamed “mozilla”. I think I’ll check it out, they say it will kick Internet Explorer ass before Y2K…

The oldest documented vulnerability in computer security world is password file disclosure vulnerability from 1965, found by Mr. Ryan Russell.

Open Security Foundation - an organization behind OSVDB and DataLossDB has launched a competition to find the oldest documented data loss incident.

The last day to make a submission is next Friday - 15th May.
The link is easy to remember - datalossdb.org/oldest_incidents_contest.