Worm city: security is in the eye of the beholder

it’s difficult living in the world of security researchers. every other day you get depressed knowing there is always yet another vulnerability, and if someone wants to, they will get you.

it is also difficult living in the world of security management and corporate security, when they try controlling their risk and lower their over-all vulnerability.

i am somewhere in the middle. twice cursed.

large companies are interesting because all the assets are spread amongst different groups, systems, networks, and physical locations.

so.. combine large companies with large code bases.

what you get is: worm city (or botnet city if you like). swiss cheese.

as vizzini would say: “inconceivable!” [the princess bride (1987)]

this quick post was written quoting parts of a conversation i had with a security researcher friend, known only as “anonymous jaded security something or other”.

gadi evron,


Vulnerable test application: Simple Web Server (SWS)

every once in a while (last time a few months ago) someone emails one of the mailing lists about searching for an example binary, mostly for:

- reverse engineering for vulnerabilities, as a study tool.
- testing fuzzers

some of these exist, but i asked my employer, beyond security, to release our test application, specific for testing fuzzing (built for the bestorm fuzzer). they agreed to release the http version, following their agreement to release our ani xml specification.

the gui allows you to choose what port your want to run it on, as well as which vulnerabilities should be “active”.

it is called simple web server or sws, and has the following vulnerabilities:

1. off-by-one in content-length (integer overflow/malloc issue)
2. overflow in user-agent
3. overflow in method
4. overflow in uri
5. overflow in host
6. overflow in version
7. overflow in complete packet
8. off by one in receive function (linefeed/carriage return issue)
9. overflow in authorization type
10. overflow in base64 decoded
11. overflow in username of authorization
12. overflow in password of authorization
13. overflow in body
14. cross site scripting

it can be found on beyond security’s website, here:

gadi evron,


Fake blogs and search engines

urls in this post should be considered as unsafe.

fake sites and se poisoning are nothing new. the use of blogs for this is far from new, either. thousands of new fake blogs pop up every day on blogspot, livejournal, etc.

web spam is a subject i have written about in the past, and some of you may be familiar with it regardless of me (no kidding), especially if you run a blog yourself.

a new fake blog which looks like blogspot, but has its own “domain”, recently popped up in a google alert on my name.

i get hits on these fake pages all the time as my name is a key word used by some of these spammers to grab attention to their pages.
this time around they really over-did it.

the page has a blogspot layout, and continues with ads to pornographic sites or malware (is there any difference anymore?)

then the site shows the youtube video which can be found under my name.
following that is a post i made to a mailing list recently (poorly formatted).
then we have a few pictures of girls, linking once more either to pornographic sites or malware drive-by sites (if there is a difference, again).

they finish the page off by adding comments, which are actually some old securiteam posts by me.

heck, it looks fake, but it is obvious the bad guys are investing more in their fake web pages. their auto-creation tools seem to be getting more impressive, and i believe we will see much improved believable sites, soon.

google blog search displays this site as (nasty words replaced with beep):

gadi evron
2 sep 2007
gangbeep facial asian amateurs, bang bus jessica hardcore pictures bang your head, asian virgins.asts. teen cherry action – nice brunette teen beeped hard on the bed and getting a beepy beepshot. beep beeping boy beep teen legs, …
untitled – h ttp://n ewadult.celeberia.com/

h ttp://n ewadult.celeberia.com/sun-shine

again, i am unsure if these urls are safe.

for those of you wondering if these web pages mean anything to the bad guys, the answer is absolutely yes. search engine ranking, indexing, etc. helps them advance their own sites (or their clients’). then of course, there is advertising and google ads.
it works. and the advertising space on unrelated key words is a plus.

the concept is very similar to comment spam. comment spam may not contribute to se ranking anymore due to the nofollow tag attached to links in comments, but these get indexed and that’s all the bad guys care about. nofollow is crap, and what shows up when you search is what matters.

as an example of how these things work, in a recent blog post of mine a buddy left a comment (see here http://sunshine.livejournal.com/8859.html for the example).

he left a url for his legitimate python/math/music/origami blog in his comment, and now when you search for his blog you find my post placed in the 4th place with the title ‘a jew in a german camp’ (about the ccc camp in germany). he is not pleased, but it is obvious how the bad guys abuse this, and infect millions of computers just because their owners surf the net.

gadi evron,


A Jew in a German Camp

i just wrote an ot post to my personal blog about the ccc camp, but i figured it was a security camp after all, so i will link to myself here:



Windows screensaver lock and lecturing

i was giving a lecture at nps yesterday, and while i was unlocking my laptop (xp), suddently, before unlocked, a file open window pops up. i could browse, and more importantly, open files. the first choice of the system was .hlp.

can someone say pwnage? anyone up to doing some monkey fuzzing on that interface?

gadi evron,


ISOI 3 is on, and Washington DC is hot

following up on that strange title, isoi 3 (internet security operations and intelligence), a workshop for do-ers who work on the security of the internet and its users, is happening monday and tuesday in washington, dc.

this time around we have even more government participation (we’re in dc, duh), but a bit less from academia (who can try and look at long term solutions), rather than just us security researchers, and operators (who respond, contain and mitigate incidents).

i am very pleased with our progress on encouraging global cooperation, and getting more industry information sharing going. i am also happy we are moving from “just” good-will based relationships to the physical world with our efforts, being able to take things to the next level with world-wide operational task forces and, indeed, affecting change.

if you are interested in this realm of internet security operations, take a look at isoi 3′s schedule, and perhaps submit something for the next workshop.

some reporters are somewhat annoyed that entrance is barred to them, but i hope they’d understand that although we make things public whenever we can as full disclosure is a strong weapon in the fight against cyber crime, folks can not share as openly when they have to be on their toes all the time.

the third isoi is here because after dhs ended up unable to host it, sponsors emerged who were happy to assist:

afilias ltd.: http://www.afilias.info/
icann: http://www.icann.org/
the internet society: http://www.isoc.org/
shinkuro, inc.: http://www.shinkuro.com/

it’s going to be an interesting next week here at the swamp. atendees better show up with their two forms of id. :)

gadi evron,


eWeek: Estonian Cyber-War Highlights Civilian Vulnerabilities

i posted a column on eweek on what critical infrastructure means, looking back at the estonia incident.

they edited out some of what i had to say on home computers and their impact as a critical infrasrtcuture, but hey, word limitations.


Gadi Evron,


Genius Twist on Nigerian Scams

1. phish an hotmail acount.
2. send email from the stolen acount to all the friends listed for the person, saying you are stuck in nigeria and are in an emergency, asking your friends for money to be wired.


(thanks suresh)

gadi evron,


Free gas?

You think?


I wonder if that is real.


Ansible: Langford and LeGuin, take note

this is a forwarded message from a mailing list i am on. i wrote on my fun blog, but figured it is cool enough to be sent here as ot:.

from: rick moen

the ansible has been patented.

—– forwarded message from dan fingerman —–

date: thu, 12 jul 2007 18:04:18 -0700 (pdt)
from: dan fingerman
subject: patent for hyper-light-speed antenna

u.s. patent no. 6,025,810 is titled “hyper-light-speed antenna”. it
claims an antenna that can send and receive information faster than
the speed of light.
the background of the invention is described:

all known radio transmissions use known models of time
and space dimensions for sending the rf signal.

the present invention has discovered the apparent existence
of a new dimension capable of acting as a medium for re
signals. initial benefits of penetrating this new dimension
include sending rf signals faster than the speed of light,
extending the effective distance of rf transmitters at the
same power radiated, penetrating known rf shielding devices,
and accelerating plant growth exposed to the by-product
energy of the rf transmissions.

the patent is available at:


Ecards and email filtering

in the past two weeks, ecards became a major threat.

ecards (or electronic greeting cards) were always a perfect social engineering scheme, open for abuse. with the storm worm and massive exploitation, i believe it has become prudent to filter out all ecard messages in your email systems.

further, some training or awareness information on this subject distributed to your organizations could be very useful.

gadi evron,


Alternative Botnet C&Cs – free chapter from Botnets: The Killer Web App

syngress was kind enough to allow me to post the chapter i wrote for botnets: the killer web application here as a free sample.

it is the third chapter in the book, and requires some prior knowledge of what a botnet c&c (command and control) is. it is basic, short, and to my belief covers quite a bit. it had to be short, as i had just 5 days to write it while doing other things, and not planning on any writing, but it is pretty good in my completely unbiased opinion. ;)

you can download it from this link:

for the full book, you would need to spend the cash.


gadi evron,


Mythbusters beat biometric finger print security

i really like this video, which you can watch on youtube


[update] apparently the link above has been removed, but exists in 20 other uploads:

mythbusters is a cool british show that tries to scientifically attack myths. they even use guns. :p
[update] apparently it’s an american show with different voiceovers all around the world.

to be honest, the way they conduct experiments and reach conclusions is somewhat flawed, to say the least, but they are cool, serious and professional (aside for the occasional safety boo-boo). they invest time and resources in building monstrosities to prove points. :)

this time, it was about breaking biometric systems with gummy bears! (see bottom of post for references)

i have seen this over at xavier ashe’s the lazy genius a longg time ago, but just made a search to find it again and post it here. in the past, i have studied biometrics extensively and how the systems can be beat. but there is nothing like a short video to make your point for you.

original link is from: http://blogs.technet.com/steriley/archive/2006/09/20/457845.aspx

the original public paper discussing this particular technique of $10 worth materials for breaking these systems using gummy bears is from tsutomu matsumoto, a japanese cryptographer, from around 2002.
i don’t think his paper was ever online, but his slides were. they seem gone now at a casual search, but i found some other slides by him:

gadi evron,


iPhone default passwd: Won’t people ever learn?

i’d expect this from new software companies, maybe. but the big ones seem to keep doing this.

default passwords, especially in widely distributed devices, are bad. no, really. enough with these already.

iphone root password cracked
we managed to obtain and crack the hashs of the user passwords for the iphone os. more information could be found at our development wiki here (link removed).

edit: cause you digg people broke the poor wiki:

the password for root is “alpine”
the “mobile” user accounts password is “dottie”

is it sick to have root pasword to all iphones worldwide? well not really, there is no terminal yet to login :p


gadi evron,


Botnets != Terrorism, or is it? :)

just last week we were throwing jokes on funsec@, of calling botnets terrorism to get some action going. of course, we decided that’s an extremely bad idea as people are already starting to discount issues when “terrorism” or “2.0″ are attached.

no, i am not going to say it, you are going to put these two together on your own! :)

today, fergie (paul ferguson) sent this to funsec:

brian krebs writes in the washington post:


the global jihad landed in linda spence’s e-mail inbox during the summer of 2003, in the form of a message urging her to verify her ebay account information. the 35-year-old new jersey resident clicked on the link included in the message, which took her to a counterfeit ebay site where she unwittingly entered in personal financial information.

ultimately, spence’s information wound up in the hands of a young man in the united kingdom who investigators said was the brains behind a terrorist cell that sought to facilitate deadly bombing attacks against targets in the united states, europe and the middle east.

investigators say spence’s stolen data made its way via the internet black market for stolen identities to 21-year-old biochemistry student tariq al-daour, one of three u.k. residents who pleaded guilty


enjoy. funny, i just had fun with online forums and terrorism with this a few days ago.

buzzwords for fud are generally a bad idea. botnets are not terrorism. :p but of course, like most malicious activity, they are used.



Two years old!

it’s been a long two years, and blogs has under-gone many changes. heck, we now have 15k unique readers a day (not including rss) !!
the main point behind blogs is that although we aim to provide with high-quality content, our content-generation is done mostly by our fellow site visitors. sometimes it’s busy, sometime’s it’s better. it’s always done in the same spirit and open to peer criticism. more importantly, it’s fun. :)

sometimes we speak of news, other times of concepts and then again on low-level assembly. it is what interests our visitors which they (us) write about

one of my personal favorite posts of all time was the one by dmitry, speaking in a very funny tone about our industry. :)
how to get a job with pen-testing team.

truly, a must read! the comments on that post are especially good.

before i wish us all a happy birthday and an even more productive future which we can use all we learned so far to get better in… here’s what i learned first when i started blogging, and it isn’t about security or writing…

i like mailing lists, and i participate on some, depending on time and interest concerns. before i started blogging with securiteam, i used to be more active, and felt these different discussion forums were a home. i had a problem.
i’d start talking about something there and say to myself “hey, why not write about it in blogs?” and i would. or the other way around, i’d blog something and say “hey, wouldn’t this interest community home #21?” :p

i went through several phases before settling down on what was best:
1. email in that i wrote about something in my blog.
2. email in just a bit or a summary, as i don’t want to write twice, and send a link to my blog.
3. copy the entire blog post, and add a link (which was useful when updates to the text were made).
4. include a link to your blog in your signature.
5. email in a copy, and unless i have a specific reason, don’t mention the blog.

i keep seeing other people repeating the above process (more or less), with minor changes as to which step comes first, and what is considered acceptable. some people call them spammers, others just smile or pout. one thing is for sure, it is something many new bloggers who were part of at least one community before their blogging days, go through.

my problem is that i am my own worst critic, and had to feel comfortable with posting. my solution ended up being #5 (althought #4 is also okay, as critics of that one are just nit-picking flamers). more specifically, i decided:

“stop worrying. post what you want where you want, and try to avoid duplication. do not mention the blog. mention url to the blog only when you have a reason to, such as *necessary* updates that will follow.”

so, even if i did like the idea of people hearing of my blog (obviously), marketing was far from my main intent. i didn’t like the fact it ended up appearing like spam, in their eyes or in mine.

i learned how to participate in these communities while having a topical blog, which for some reason was not as straight-forward for me originally.

i enjoyed these past two years on blogs, and invite you all to start blogging with us.

what was your favorite moment on blogs? :)

happy birthday!