Anyone who has ever done serious security research reached the line that separates good from evil. If you are working with phishing emails you get links to kiddie porn. If you research security holes you deal with exploits. If you are researching botnets you are up to your neck in sensitive information that was obtained illegally.

I’m sometimes asked if we ever get ‘tempted’ to cross over. The answer is simple: we may think like criminals and sometimes emulate their work, but it never ever enters our mind to do something malicious. Finding an SQL injections that gives you full access to the database is fun; using this information to steal money or order items for free is light years away from what we do.

But not everyone understands that, and that’s scary. A member of the THC got pulled over at Heathrow airport by the UK government. The story has a happy ending, but it must have been scary, not to mention frustrating. My good friend Zvi Gutterman found weaknesses in the Windows and Linux PRNG. Breaking the PRNG has consequences - while top-secret crypto systems will not use the standard Windows or Linux random number generators, who knows if there is a simple Linux based basic communication device used in one of the governments? An applicable weakness in the PRNG may have a serious impact and they might decide that shutting up Zvi is easier than replacing all their units.

If you think the previous paragraph is a paranoid conspiracy theory, lets talk about kiddie porn links. These pop up whenever we deal with botnets, phishing and malware. The police is trying to demonstrate zero tolerance for kiddie porn, usually by arresting anyone who has visited such an illegal web site. How will you explain to your family, when they see you on the 8 o’clock news arrested for kiddie porn charges, that you are not a dangerous paedophile but you had no idea the link you clicked was to a kiddie porn site?

There will be more incidents like the THC one. We can all tell the difference between a proof of concept device to show how vulnerable GSM encryption is and an illegal wiretapping device. But the law officials can’t, and often don’t seem to care about the difference. Some of the time it’s not even law officials: Fyodor had his site shut down to prevent spreading his nmap ‘hacking tool’. Dmitry Sklyarov was arrested in Las Vegas for breaking the PDF encryption. In the Fyodor incident the decision was made by godaddy. In the Dmitry Skylarov case it was Adobe who got the court order.

I wouldn’t want to see security research being a licensed profession (like a private detective license or a license to carry a firearm) - I’ve seen brilliant teenagers who think out of the box and find vulnerabilities no one else can, but are not old enough to drive a car. So what else can we do to make sure we hold a ‘get out of jail’ card?

This Hebrew post in linmagazine describes what first sounds like a typical Vishing attack. The author’s mother receives a phone call telling her there’s been a terrible accident and she needs to call the hospital for the details. They give her the ER’s number but tell her to use only her land line. The number is *7200526671955. Strange, but not unusual in Israel where dialing *pizza connects you to Dominos and *mortgage to your local sub prime pusher.
So she calls and calls but there’s no answer, and she rings her son to tell him to try and call.

He rings, and gets a voicemail. Getting suspicious he dial his phone company’s information directory and finds they were conned: *720 is the code for call forwarding, and 052-667-1955 is a local cell number. It’s a clever scheme, actually. All the for-pay phone numbers (sex hotlines, etc) are opt-in which means they are blocked by default (to prevent scams like this, among other things).
However, calls to cellular phones are more expensive (in Israel the caller pays the charge and not the receiver) and so it is possible to cut a deal with the cellular company for revenue sharing and open your own ‘recipe tips’ hotline which should bring in many incoming cellular calls and make everybody (especially the mobile operator) happy. If instead of recipes you make people call because their friend’s phone lines are automatically forwarded to your number, well that doubles the fun.

So these guys figured call forwarding to international numbers won’t work, and chose the mobile option. Although it’s a bit risky (you need to be able to collect the money from the cellular operator before the cookie jar slams shut) but sounds lucrative. Now comes the final step in a Vishing scam like this; you need to convince a lot of people to do the call forwarding, and for that you usually use a Voice-over-IP line with a pre-recorded message. But not these guys: the post’s author confirmed to me that his mother spoke to a flesh-and-blood voice who actually answered her questions, had a perfect Hebrew accent (it wasn’t a Nigerian who went to Jewish Sunday school) and told her the number to call twice (and even waited until she grabbed a pen).

Calling manually is risky: people can trace back the call and find out where you were. Hiring telemarketing is typically out of the question (lets just try to imagine the brief to the telemarketing team) and manually calling hundreds of people is really not cost effective.

So why the manual call? The only thing that comes to mind is they were beta testing or watching to see the response from the cellular company or law agencies. Maybe they are even using Israel as a beta site for an international Vishing attack? When the FBI or secret Service (or Israeli Police) catch them, I hope they ask. With a bit of luck they’ll post a hint here in the comments.

And it was

…almost 30 years since the first spam message was sent.

We can read more here:

news.bbc.co.uk/2/hi/technology/7322615.stm

SANS ISC has collected a very coverage list of April Fool’s Day stories.

It can be found here:

isc.sans.org/diary.html?storyid=4225

My own favorite is Gmail’s new Custom Time feature

I’d love to hear the background story behind this one:

[CiscoWorks IPM] version 2.6 for Solaris and Windows contains a process that causes a command shell to automatically be bound to a randomly selected TCP port.

Why on earth? And why a random port?

And if you’re still wondering, yes - it’s a remote root shell with no authentication

Remote, unauthenticated users are able to connect to the open port and execute arbitrary commands with casuser privileges on Solaris systems and with SYSTEM privileges on Windows systems.

Cisco is being cruel and only disclosing the technical info. Common Cisco, share the juicy parts! We want Full Disclosure!

My wife has just received this email via linkedin:

Subject: Equity Needed

LinkedIn
[name deleted] has sent you a message.
Date: 3/01/2008
Subject: Equity Needed
May I kindly accept a donation of $100 on your behalf? [url to donation page]

Thank you for understanding.

Visiting the donation page brings up the following explanation:
“With the new status update feature on LinkedIn I thought we should have some fun and in the process help me make my first million to jump start my new companies. I would like you to set your status on LinkedIn to “wants you to help [me] make [my] 1st million via LinkedIn: [url]””

I remember hearing a lecture circa 1995-6 about Ipv6 and how the Internet world will come to an end if we don’t adopt it soon. The crisis was a dwindling allocation of IP’s (the early Internet version of a carbon footprint). The fear was that “In 10 years, every man on the planet will have between 10 to 20 IP addresses on him”. But when I heard that, I didn’t really think about the poor IP forests that are taken down every year to accommodate the greedy globalization economy, I thought of privacy.

The end of that discussion is now clear: shortly after I heard the lecture Network Address Translation (NAT) became popular, and IP allocation was no longer a problem. Not only that, but IPv6 went from a “must have” to “we’ll get around to it some day” and is still in the process of being rolled out (slowly) to this day. But the privacy issue still remains.

If every person has an IP (or more than one IP, although that seems less likely nowadays) then we know everything about him. Unlike the virtual world, where we no longer can connect a person with an IP address without correlating half a dozen logs, in the physical world an IP will likely be more like a phone number – something unique and personal.

I thought about this when I read about a Nokia experiment where people transmitted their location to a Nokia center to enable traffic monitoring. Nokia says data is sent anonymously, and I believe them; but even if not, every Nokia device has a private (NAT’ed) address changed almost randomly by DHCP. So tracking again requires long and tedious log correlation and privacy is difficult to compromise.

What, then, will happen with IPv6? If DHCP and NAT increase privacy, is IPv6 a threat? Not an imminent threat, of course, but it is definitely ‘creeping’ in, and some day if there are enough addresses and NAT is not necessary, perhaps every blackberry in the world will have a unique IP address that will be with it forever. That’s a scary thought – if you comment in this blog post using your real name, I can take this information with me and give it to a friend of mine that works in Nokia who will tell me where you are right now. Think about the scene in “Jay and Silent Bob” where they go and beat up the people who posted bad comments about their movie; it suddenly becomes a whole lot easier to do…

Ophir put together a nice analysis on how much it would cost to break the security system of SmugMug.com.
This, in response to a bounty that is advertised on their web site.

I think he’s being generous. The really bad guys (people who make money from cybercrime) have access to countless of “free” machines; the crackers can easily break into a few boxes to use them for the attack Ophir describes. But mainly he’s being generous because he is giving them free security consulting, which is what they really need. Hey, SmugMug guys: a security contest is not a cheap replacement to an actual security audit (or consulting with an expert) just like bug bounties are not replacements for QA.

And only god knows why in 2007 the notion of my-url-is-so-long-nobody-will-guess-it is still alive. What do they teach in CS anyway?

My Admirer application (previously known as Secret Crush) has been removed from Facebook now. The installation process was canceled during the weekend, but now it is finally gone.

Fortinet reported about the Zango spyware installation related to this application last week. The issue was described in this SecuriTeam post.

Response from Zango Inc. is interesting to read - link to the Zango blog here.

From the post:

At no point in adding the Secret Crush widget to a Facebook profile does the widget install either spyware or Zango software, or even attempt to do so. Any suggestion that Zango software is being “secretly installed” is simply not true.

It appears that there was no automatic installation of spyware at all.

2007 was the brazilian Christmas for laptops, definitely. Finally the prices are reasonable in retail stores, now one can buy a basic laptop for about R$1.600,00 (about US$950). That’s expensive for a 256MB / 512MB Celeron PC, but hey, that’s much better than feeding the parallel market of “contrabando”.

As a side effect, more Muni Wi-Fi and similar initiatives are emerging in the last few months. The last one came to my attention yesterday: Wi-Fi in Copacabana beach.

Sounds cool, huh? Caipirinhas, lots of hot girls in fio dental, and Wi-Fi (you geek!). Don’t do it, man.

Burglars in Brazil are smart, so be a ninja with your laptop in Brazil. Let your Targus bag at home, it looks like “hey I have a laptop, please steal it from me Mr. Bag Guy”. Be a ninja with other gadgets like iPods, digital cameras and cell phones too. Nothing in your belt too, Mr. Batman.

Wi-Fi in malls is relatively safe, just take care when you’re leaving the place, looking back is always good. Airports are safer, but take care in your way to the hotel, when you’re waiting for a taxi. Recently a gang was arrested, they were specialized in laptops. You know, it’s easy to know you have a laptop because people help burglars a lot: suits and backpacks (specially Targus and other mainstream brands) don’t mix.
Another tip: the vast majority of hotspots in Brazil are associated to Vex, so purchasing some credits before you leave your country in a safe network would be interesting. Another tip, actually a homework before you leave your country: backup your data, protect your HD with a password if available, encrypt the file system, have your VPN set.

Via: Praia de Copacabana deve ter rede Wi-Fi até junho (FolhaOnline 01/02/2007)

The last week of December is sometimes an interesting week in our industry.

IT security is often pictured as a fight between the ‘good guys’ and the ‘bad guys’. Well, from December 25th to January 1st, the battlefield is noticeably skewed in favor of the bad guys.

It’s not too difficult to see why - the CSO’s are on vacation. The IT staff is minimal. Nobody would risk deploying a patch that would affect the entire company come January 1st (and who wants his boss to come back to work after a New Year’s party and find out her computer doesn’t boot). On the vendor side, things are similar; you better not find a critical exploitable buffer overflow in this critical week - they’ll be no one to fix it. Or deploy a workaround.

Last year, Determina reported the .ANI buffer overflow to Microsoft in December, but the acknowledgment from MS only came in early January (not to mention the patch itself came in March).
Two years ago the WMF exploit made noise and since the Microsoft engineers were on vacation Ilfak and ZERT had to pitch in and release 3rd party patches for this problem.

In Christmas 2004, Ironically enough, Microsoft was busy with the first .ANI vulnerability (this one reported by eeye) almost identical to the one that followed 2 years after and again a patch that waited until after the MS QA team had time to recover from the New Year’s hangover.

Six years ago, David Litchfield turned Oracle’s then marketing tagline “Unbreakable” into pure mockery by discovering a serious of remotely exploitable vulnerabilities which of course were not patched in time for Santa Claus season.

These stories remind me of the Christmas party at the Nakatomi building in “Die Hard”, only in our case the attackers have the additional benefit of the “out of office” messages telling them who left their post (not to mention not all companies have John McLain to save them from imminent doom).

Will this holiday season be quiet? So far there aren’t any clouds on the horizon, so lets hope it stays that way for another 10 days or so. After all, even us security folks need our R&R…

Happy holidays everyone!

According to several Israeli newspapers google has exposed the IP address of a blogger that was using the “blogger” service.

You might think he was posting instructions on how to prepare a nuclear bomb or the secret Coca Cola formula. It’s much much worse. He was defaming officials in the “Sha’arei Tikva” municipality, which most Israelis can’t even place on a map, and needless to say have little to no interest on the intrigues and political wars there.

My point is, there is no benefit to anyone for exposing the blogger’s IP except to let these officials take him to court, and while google gave a weak legal fight, the decision was reached by out of court settlement, which means they didn’t even try to go the distance in order to block this request.

I think the main issue is not the blogger’s right for anonymity; it’s more about google’s unclear policy on what they do with the information they have. We know google save search data. We know that they have access to deleted emails on gmail (for who knows how long). We don’t know what they do on google talk, but we can guess. What we already know is scary; the fact that we don’t know the rest is even scarier.
It’s clear to everyone that google has information about us and our private life more than any other Internet entity (we had a securitoon about it a while back). Now it’s clear they are playing loose cannon with that information.

Update: Someone identifying herself as “google employee” writes in the talkback comments to the article that google only handed the IP, but the ISP gave the complete identifying information from that IP, and that the press’s picking on google is unjustified. If that google worker is reading this, feel free to email me your version of the story and it will be posted here anonymously (or just leave a comment below).

I’m sure there are people not aware of the recent state of Apple iPhone IMEI case.
It was reported by UNEASYsilence blog (pointing to the older forum post of Hackint0sh.org) that “Stocks” and “Weather” widgets send the IMEI number to Cupertino.

I.e. like this:

iphone-wu.apple.com/dgw?imei=%@&apptype=finance

The fact is, however, that the string being sent is not the International Mobile Equipment Identity code.

Reference: Docpool.org/iphone/The day after.en.html

What the widget sends is UUID code (Universally Unique Identifier).

Hey, IMEI has 15 characters (and only numbers) and UUID has 32 characters.

It was 11 day ago when JAR: protocol vulnerability in Firefox was reported by pdp.

According to Bugzilla entry #369814 upcoming Firefox 2.0.0.10 (tests done with Gecko/2007111504) are immune to this vulnerability.

A Mozilla Security Blog entry posted by Mozilla security chief Window Snyder has been released too.

However, as a workaround NoScript version 1.1.7.8 and later may prevent this vulnerability from being exploited, as US-CERT VU#715737 states.

The fact is that the Bugzilla report mentioned was filed as security sensitive on 8th Feb already. The disclosure of Petkov made it public.

The role and seriousness of cross-site scripting (XSS) vulnerabilities has been a subject of recent FD discussion.

The fact is that since Saturday 3rd Nov there are the following widely known targets:

sitekey.bankofamerica.com
search.money.cnn.com
www.paypal.com (two issues)
www.zone-h.org
movies.nytimes.com
www.fbi.gov
weblogs.macromedia.com
welcome.intel.com
developer.apple.com
searchg.symantec.com
www.mastercard.com
travel.state.gov
my.aol.com
Additionally, several Yahoo domains have unpatched XSS issues. Mastercardfrance.com has its own XSS vulnerabilities as well.

According to the Xssed.com archives most of these are still unpatched. Some examples:

Symantec: XSS in search function at Enterprise section

Apple Developer Connection: XSS in search function
FBI: XSS in redirect-type URL (try www.fbi.gov/filelink.html?file=//google.fr manually)

Bank of America: XSS on Sign In page (https)
Paypal.com has fixed both of its issues.

You all remember cybersquatting, a popular sport in the late 90s, right?
McDonalds.com, JenniferLopez.com, Hertz.com and Avon.com thankfully all point to the right web sites today, but thaiairline.com, mcdonald.com, luftansa.com, gugle.com, barnesandnobles.com and other misspellings are fake web sites intended to trap the casual surfer with a hand that’s a bit too much quicker than the eye.

These web site traps are successful because web sites are so easy to remember, people don’t bother bookmarking them. It used to be that if you wanted to know the weather in Minnesota you had to go to http://www.geocities.com/Athens/rubytuesday71/weatherinminnesota281007.html . Today you go to weather.com (or type “weather for Minnesota” in google) and get an immediate response.
If you want to go to the McDonalds web site, you don’t even spend the 10 seconds to look it up – you will type McDonalds.com and expect to see the latest dollar meal menu.
But the same is true for the other popular form of communication – email. If I know the person’s name and company (or free email system) I will generally just type it up rather than look it up on my address book.
Of course, back in the hotmail days when John was john_sm1th253@hotmail.com I couldn’t rely on my memory alone. But today, if your name isn’t John Smith, it’s probably not too difficult to get a decent first name/last name combination on gmail, yahoo or some other free mail system, and certainly on your corporate email system.

So will we start seeing cyber-squatting on email addresses? Maybe we already do. There is no real way to know who’s behind a certain email address and while it’s merely funny if a guy names Roo Taylor gets the email root@aol.com, it could actually be dangerous if some bad guy owns john@gmail.com, johnsmith@gmail.com, johns@gmail.com, etc. Imagine how much legitimate mail is accidentally sent to those accounts by people who send the latest budget figures to their boss at work and also CC his personal address so he can watch it from his home machine too.

I have first-hand experience of this ‘attack’. Luckily for me I’ve got the login to aviram@gmail.com (piece of cake. All you need is to have a “google-in-law”. For me it was as simple as my office neighbor’s wife having a cousin that works for google. Then they sign you up for a new experimental beta google product called “google mail” and you get not only to pick your first name as login, but send invites to a bunch of envying friends). As gmail becomes more popular I’m receiving invitation to birthday parties of people I don’t know, detailed minutes of brainstorming meetings I’ve never been to and last week a bunch of emails with the list of hospital equipment and inventory, all sent to some other ‘aviram’. I can’t imagine what would have happened if my first name was more common. I’m also pretty sure it’s still possible to register gmail accounts with common misspellings and dig out some of the emails that come out.

At the very least, this would give the bad guys get a fresh harvest of active email addresses. But if they’re lucky, they may receive an email that carries a personal story that can be exploited further. Think about a young guy sending his parents pictures from an Internet cafe about his Africa safari trip. A simple typo sends the email to our bad guy who then forges a follow-up email to the parents telling them his wallet was stolen and that they need to wire money to help their stranded son.

Cybersquatting is easy to identify and is usually settled in court. With “email-squatting” I don’t see a clear and obvious solution; in the meanwhile, be sure to only use your address book…