I’m hyped! The much-anticipated Maltego version 2.0 is out. I had previously alluded to maltego here. To the 1% of you who haven’t heard of Maltego, it’s a tool for determining relationships between domains, users, email addresses, etc. I can’t think of an Infosec or traditional corporate security group which wouldn’t benefit from this tool. Check out new features here and here.

OK, everyone is probably familiar with the riddle put forth by Samson. e.g. “From the eater came forth food; and from the strong came forth sweet.”. The answer to that riddle was hidden. Who could have guessed the meaning? The strength of the riddle was in the fact that it was based on subjective knowledge that only Samson possessed. Of course, the story ends badly due to philistine subterfuge…but, I digress. I know that the security industry puts forth much effort in solving the riddle of “spam”. Question one, would a person, solving the spam riddle, be best served in keeping the answer to himself? It would seem that any sort of public solution would give the spammer equal opportunity to adjust their attack vector.

I don’t know much about spam. Google (and their gmail app) seem to know a lot about spam . Joe Stewart over at Secureworks knows a lot about spam. He claims that the top botnets can send over 100 billion spams per day. I have a few more ignorant questions:

2) Spam is a nuisance. Can the power of spam be harnessed and used against ones enemies? If spam is the “eater”, how can it be used to ones advantage?

3) The sending of spam seems highly automated. Can the power of spam be turned inward? Like a child scooping cuploads of black ants on a red ant mount, is there a way of causing a “war” between spambots? Would such a war benefit anyone?

!Dmitry

Another one for you this week, we especially liked XenoMuta’s answer to our previous one.
Lets go:

Dear SecuriTeam,

i am not sure if you are able to help us to find a solution for a special problem but i’ve tried everything and spent a lot of time in the internet without any achievement.

we want to export the content of multiple exchange servers from our branch offices into personal folders (.pst files) and import these informations into our exchange mail system. the main problem why we are not yet able to do this is that we want to scan the content for viruses, worms (if possible with multiple virus scanners) and for unwanted content like videos, music, executables and so on and this in a way that a real content scan would be done instead of just checking against the file extension. also all attached archives (zip, rar etc.) should be opened (if possible) and scanned for its content. if an attachment is found which cannot be scanned because of password protection or encryption or whatever reason this attachment or the complete mail should be deleted or moved to a quarantine area.

Thank your very much for your support

Best regards
J. B.
Germany

Anyone who has ever done serious security research reached the line that separates good from evil. If you are working with phishing emails you get links to kiddie porn. If you research security holes you deal with exploits. If you are researching botnets you are up to your neck in sensitive information that was obtained illegally.

I’m sometimes asked if we ever get ‘tempted’ to cross over. The answer is simple: we may think like criminals and sometimes emulate their work, but it never ever enters our mind to do something malicious. Finding an SQL injections that gives you full access to the database is fun; using this information to steal money or order items for free is light years away from what we do.

But not everyone understands that, and that’s scary. A member of the THC got pulled over at Heathrow airport by the UK government. The story has a happy ending, but it must have been scary, not to mention frustrating. My good friend Zvi Gutterman found weaknesses in the Windows and Linux PRNG. Breaking the PRNG has consequences - while top-secret crypto systems will not use the standard Windows or Linux random number generators, who knows if there is a simple Linux based basic communication device used in one of the governments? An applicable weakness in the PRNG may have a serious impact and they might decide that shutting up Zvi is easier than replacing all their units.

If you think the previous paragraph is a paranoid conspiracy theory, lets talk about kiddie porn links. These pop up whenever we deal with botnets, phishing and malware. The police is trying to demonstrate zero tolerance for kiddie porn, usually by arresting anyone who has visited such an illegal web site. How will you explain to your family, when they see you on the 8 o’clock news arrested for kiddie porn charges, that you are not a dangerous paedophile but you had no idea the link you clicked was to a kiddie porn site?

There will be more incidents like the THC one. We can all tell the difference between a proof of concept device to show how vulnerable GSM encryption is and an illegal wiretapping device. But the law officials can’t, and often don’t seem to care about the difference. Some of the time it’s not even law officials: Fyodor had his site shut down to prevent spreading his nmap ‘hacking tool’. Dmitry Sklyarov was arrested in Las Vegas for breaking the PDF encryption. In the Fyodor incident the decision was made by godaddy. In the Dmitry Skylarov case it was Adobe who got the court order.

I wouldn’t want to see security research being a licensed profession (like a private detective license or a license to carry a firearm) - I’ve seen brilliant teenagers who think out of the box and find vulnerabilities no one else can, but are not old enough to drive a car. So what else can we do to make sure we hold a ‘get out of jail’ card?

It appears that a new WMF attack is coming, as you recall about a year back an WMF vulnerability was used on several high profile sites to infect visitors, this now appears to start happening again.

The first sign of this is the appearance of exploits for the vulnerability, starting off with version specific and evolving into a generic one.

The second sign is web sites being infect with hidden iframe that redirect to a javascript code that is at the moment dormant, or refers to non-existing domains.

The last stage is those javascripts getting modified, or the non-existing domains poping up into existing, you got yourself an infection.

It is time to start your vulnerability assessment engines, make sure all your windows based machines are tested, verify that your website passes a web site audit, and lastly get updated as this news item evolves.

I have a strong distrust of most marketing and sales individuals. I hate evaluating software and getting a dozen calls or emails from some overzealous, inside-sales weenie. For this reason, I usually use bogus information when I fill out the obligatory form requesting the software that I want to play with. Lately, a lot more companies have been ignoring my queries for eval software. While I’m pleased to not be receiving calls or emails, I would appreciate the actual software. Today, while waiting (not too patiently) for my link to come through, I went through the email looking for some clue as to why I wasn’t selected to play with their software. In the HTML, I note a line like this (obfuscated somewhat and using ‘(’ and ‘)’ instead of angle brackets).

(IMG xsrc=”http://somelargesoftwarecompany.com/mk/auth?_ED=abcdefghijklmnopqrstuv

&_esniff=true” HEIGHT=”1″ WIDTH=”1″)

What’s that? Why is HEIGHT and WIDTH equal to 1? How will I ever see that?

So, the natural next question is: What happens when the web browser (or email client) requests that image. Well, it turns out it’s not a real image. It’s size is 0 bytes and the error code is “204 NoContent”.

I add a single quote to the abcdefghijklmnopqrstuv string. Now, I’m getting an error message like:

“MarketFirst encountered an error while processing your request.”

So, what’s the deal with that little, bitty image? Well, it turns out that I’m not supposed to see that little, bitty image. That little snippet is part of a marketing software (MarketFirst) which tracks when and where the email is opened (ooooh, I am *so* hating marketing guys right now).

To see other companies using the marketfirst software, google:
MarketFirst error inurl:”/mk/”

Even more fun, google:
MarketFirst inurl:”/mk/” ODBC error

Wanna try it yourself. Check out:
http://cdcsoftware-marketing.com/mk/get/ca_m1_online_demo_registration?MP=M1COM_HOMEPAGE

You’ll even get your own email which tracks back to their database…call it marketer on marketer crime.

Now, if I could just get a MarketFirst demo evaluation

!Dmitry

P.S. and here’s how to bypass marketer profiling and get your software downloads. Open the email in plain text (it’s MIME encoded). Convert it to HTML text. Post the HTML on some web site. Now, call your buddy at a Fortune50 company and have him/her click the link. I bet you get the download now.

P.S.S Even more fun….embed the HTML in an email to some user at the same company where you are requesting the download

This Hebrew post in linmagazine describes what first sounds like a typical Vishing attack. The author’s mother receives a phone call telling her there’s been a terrible accident and she needs to call the hospital for the details. They give her the ER’s number but tell her to use only her land line. The number is *7200526671955. Strange, but not unusual in Israel where dialing *pizza connects you to Dominos and *mortgage to your local sub prime pusher.
So she calls and calls but there’s no answer, and she rings her son to tell him to try and call.

He rings, and gets a voicemail. Getting suspicious he dial his phone company’s information directory and finds they were conned: *720 is the code for call forwarding, and 052-667-1955 is a local cell number. It’s a clever scheme, actually. All the for-pay phone numbers (sex hotlines, etc) are opt-in which means they are blocked by default (to prevent scams like this, among other things).
However, calls to cellular phones are more expensive (in Israel the caller pays the charge and not the receiver) and so it is possible to cut a deal with the cellular company for revenue sharing and open your own ‘recipe tips’ hotline which should bring in many incoming cellular calls and make everybody (especially the mobile operator) happy. If instead of recipes you make people call because their friend’s phone lines are automatically forwarded to your number, well that doubles the fun.

So these guys figured call forwarding to international numbers won’t work, and chose the mobile option. Although it’s a bit risky (you need to be able to collect the money from the cellular operator before the cookie jar slams shut) but sounds lucrative. Now comes the final step in a Vishing scam like this; you need to convince a lot of people to do the call forwarding, and for that you usually use a Voice-over-IP line with a pre-recorded message. But not these guys: the post’s author confirmed to me that his mother spoke to a flesh-and-blood voice who actually answered her questions, had a perfect Hebrew accent (it wasn’t a Nigerian who went to Jewish Sunday school) and told her the number to call twice (and even waited until she grabbed a pen).

Calling manually is risky: people can trace back the call and find out where you were. Hiring telemarketing is typically out of the question (lets just try to imagine the brief to the telemarketing team) and manually calling hundreds of people is really not cost effective.

So why the manual call? The only thing that comes to mind is they were beta testing or watching to see the response from the cellular company or law agencies. Maybe they are even using Israel as a beta site for an international Vishing attack? When the FBI or secret Service (or Israeli Police) catch them, I hope they ask. With a bit of luck they’ll post a hint here in the comments.

I’m rushing this post out so that this post can be the 1,000th post

I’ve got a project that I’d love to run, but I just don’t have the time. Here’s what I’m thinking of. I want to crawl Fortune 1000 sites and generate fingerprints on their code (ASP, JavaScript, whatever I can read in plain text). I then want to pull out variable names and other unique identifiers from the culled code. With this, I can:

1) see if there has been any cross-pollenation across the sites

2) See if any of these Fortune 1000 web developers have embedded open source code within their app.

3) If (2), I’d like to run the open source code through a static source code analyzer and see if there are any ‘gotchas’.

A few months ago, I did this exercise for a single Fortune 1000 company. I wasn’t really surprised to find a bunch of open source libs in use. In this particular case, I didn’t even need to use google codesearch to find the package that they were using. The company had left all te GNU comment info within the source. It also wasn’t surprising to find that the developers had installed the entire open source project under an ‘include’ directory, even though my spider only found a link to several of the ‘.js’ files. And, lastly, searching bugtraq for this particular product revealed that they were running an older, vulnerable version of their open source software. Mildly interesting. I’d love to automate this. A cool product would:

1) spider a site and download all their code (even HTML can have comment fields or variable names which can be used to track the HTML back to an open source app)

2) Use some algorithm to find uniq identifiers within the code. Store these identifiers.

3) Use some algorithm to compare these identifiers to other sites which have already been spidered and stored.

4) Feed these identifiers to ‘google codesearch’ to see if the code is part of a larger, open source project.

5) If (4) use some algorithm to determine the version level. Query bugtraq for flaws within the observed version.

6) Run the code through some static analyzers looking for coding flaws.

That’s it. Happy 1,000-post birthday Securiteam blogs!

!Dmitry

Apparently Google’s calendar has been elected to become a new spam platform.

I started receiving these a few days ago, at first I thought it to be a fluke but not it has become a flood.

Someone in Google should probably start looking at this and getting it fixed, as this isn’t a “fake” Google calendar invitation but rather a legit Google generated one.

In essence the invitation contains the subject of what can be considered good by most good news:
CONTACT MY SECRETARY FOR YOUR CHEQUE

When I read “Cheque” I am happy

But that is just me, maybe someone else will become sad, maybe the guy who is giving the cheque

And then this is followed by:

My Dear friend

Thanks
Sincerely Yours
Mr,John Max

And finally of course the meeting details in both iCal and vCal, which asks me to meet with them or just reply so that they can tell me exactly where we should meet

The headers of the email show that it was sent by Google’s internal SMTP server and was auto-generated by Google’s calendar service

And it was

…almost 30 years since the first spam message was sent.

We can read more here:

news.bbc.co.uk/2/hi/technology/7322615.stm

SANS ISC has collected a very coverage list of April Fool’s Day stories.

It can be found here:

isc.sans.org/diary.html?storyid=4225

My own favorite is Gmail’s new Custom Time feature

I’d love to hear the background story behind this one:

[CiscoWorks IPM] version 2.6 for Solaris and Windows contains a process that causes a command shell to automatically be bound to a randomly selected TCP port.

Why on earth? And why a random port?

And if you’re still wondering, yes - it’s a remote root shell with no authentication

Remote, unauthenticated users are able to connect to the open port and execute arbitrary commands with casuser privileges on Solaris systems and with SYSTEM privileges on Windows systems.

Cisco is being cruel and only disclosing the technical info. Common Cisco, share the juicy parts! We want Full Disclosure!

It’s time to look the recent state of targeted attacks. Like we already know the main attack vector in these attacks is Microsoft Office attachment. There are no many organizations that simply can filter .DOC, .XLS and .PPT files.
In mid-January Microsoft confirmed that a new, previously unknown Excel vulnerability was used in targeted attacks. On Monday this week US-CERT issued a warning about the new wave of exploitation. This extremely critical vulnerability, rated ‘10.0′ by CVSS meter BTW, was known as header information code execution vulnerability.
The fix is included to today’s Excel Bulletin MS08-014. However, Microsoft says the following now:

What causes the vulnerability?

Microsoft Excel does not properly validate macro information when loading specially crafted Excel files.

In January we had a very small pieces of information related tho this vuln and Trojan exploiting it.

Information about the characteristics of these targeted attack can be read via my FAQ documents.

My wife has just received this email via linkedin:

Subject: Equity Needed

LinkedIn
[name deleted] has sent you a message.
Date: 3/01/2008
Subject: Equity Needed
May I kindly accept a donation of $100 on your behalf? [url to donation page]

Thank you for understanding.

Visiting the donation page brings up the following explanation:
“With the new status update feature on LinkedIn I thought we should have some fun and in the process help me make my first million to jump start my new companies. I would like you to set your status on LinkedIn to “wants you to help [me] make [my] 1st million via LinkedIn: [url]””

I remember hearing a lecture circa 1995-6 about Ipv6 and how the Internet world will come to an end if we don’t adopt it soon. The crisis was a dwindling allocation of IP’s (the early Internet version of a carbon footprint). The fear was that “In 10 years, every man on the planet will have between 10 to 20 IP addresses on him”. But when I heard that, I didn’t really think about the poor IP forests that are taken down every year to accommodate the greedy globalization economy, I thought of privacy.

The end of that discussion is now clear: shortly after I heard the lecture Network Address Translation (NAT) became popular, and IP allocation was no longer a problem. Not only that, but IPv6 went from a “must have” to “we’ll get around to it some day” and is still in the process of being rolled out (slowly) to this day. But the privacy issue still remains.

If every person has an IP (or more than one IP, although that seems less likely nowadays) then we know everything about him. Unlike the virtual world, where we no longer can connect a person with an IP address without correlating half a dozen logs, in the physical world an IP will likely be more like a phone number – something unique and personal.

I thought about this when I read about a Nokia experiment where people transmitted their location to a Nokia center to enable traffic monitoring. Nokia says data is sent anonymously, and I believe them; but even if not, every Nokia device has a private (NAT’ed) address changed almost randomly by DHCP. So tracking again requires long and tedious log correlation and privacy is difficult to compromise.

What, then, will happen with IPv6? If DHCP and NAT increase privacy, is IPv6 a threat? Not an imminent threat, of course, but it is definitely ‘creeping’ in, and some day if there are enough addresses and NAT is not necessary, perhaps every blackberry in the world will have a unique IP address that will be with it forever. That’s a scary thought – if you comment in this blog post using your real name, I can take this information with me and give it to a friend of mine that works in Nokia who will tell me where you are right now. Think about the scene in “Jay and Silent Bob” where they go and beat up the people who posted bad comments about their movie; it suddenly becomes a whole lot easier to do…

My bank forced me to change the login password again; they claim it’s an automated procedure that happens every 90 days, but I know that it actually waits for me to remember the password and then immediately forces me to change it.

When I went in to change it, I was reminded of the draconic rules: it has to be at least 6 characters, with at least 2 numbers and at least 2 uppercase and 2 lowercase. These guys went to the security by obstruction school, no doubt.

I decided to fight back. As I finally got around to remembering this awkward strange password I had to pick 90 days ago, I decided I’m staying with it. So I changed it to something else, which I had to write on a piece of paper for fear of forgetting within 30 seconds (if you saw memento, that movie is about me. And I try to always order beers in bottles since seeing it), and I then went to the ‘change password’ section to change it back to my awkward-but-conditioned-to-memory password.

Naturally, the bank was trying to set me straight. “You can’t change back to any of your last 5 passwords” it told me with a grinning smile, giving me the solution right there. As you can undoubtedly guess, I returned the favor by changing the password 5 times to different things and then changed it back to my old one. I win. Next round in 3 months.

People will always outsmart security systems that try to force them into making the ‘right’ decision. What I’ve done today (and I’m quite proud of it, thank you) is being done every day by people who use their CD-ROMs as coffee trays and have never used any
program that didn’t automatically run when double clicking an icon.

But here’s what is really bothering me: What exactly is the attack scenario here? I would like to see the statistics that show how many attackers actually manage to capture a username and password and only fail because they try to use it after 90 days. While these huge numbers are crunched, please put on the Y-axis how many attackers found the password on a post-it stuck to the monitor because the password is so complicated to remember.

Or maybe so many attackers brute force the password, obviously hundreds of millions of times every day for a single account since there is a clear an immediate need for a long and complicated password (BTW, if this attack is possible, someone should tell me how to do it. I’ve been locked out a few times for failing to type the password correctly within a few guesses. I need a few guesses because I didn’t remember which was the current password, which, as you remember, changes every 90 days).

Being the cynic that I am, and having read enough security policy documents, I can guess why the password policy is the way it is: it’s easy to explain and justify, and it makes sense when showing in a powerpoint slideshow. I once heard from a high-profile organization that due to a successful break-in to their network they decided to tighten up security: all passwords now had to be 9 characters instead of 8. I’m guessing someone was promoted for this genius action, and there’s still enough room to increase it further when the next break-in comes (now that’s thinking ahead).

How is a complex password policy bad? Let me count the ways; It makes your user you enemy instead of your ally. It distracts the security people from the real threat. It gives a false sense of security. It encourages your users to find flaws in your security system and use them. What else? I had more, but somebody just came in the door and I forgot.

Ophir put together a nice analysis on how much it would cost to break the security system of SmugMug.com.
This, in response to a bounty that is advertised on their web site.

I think he’s being generous. The really bad guys (people who make money from cybercrime) have access to countless of “free” machines; the crackers can easily break into a few boxes to use them for the attack Ophir describes. But mainly he’s being generous because he is giving them free security consulting, which is what they really need. Hey, SmugMug guys: a security contest is not a cheap replacement to an actual security audit (or consulting with an expert) just like bug bounties are not replacements for QA.

And only god knows why in 2007 the notion of my-url-is-so-long-nobody-will-guess-it is still alive. What do they teach in CS anyway?