yesterday (now two days ago), fx, mumpi (see, i remember!), nicole, dan kaminsky and myself went to the cisco black hat party. with us was the ciscogate renowned michael lynn.
we were fx’s guests, as he kindly invited us (great guy who knows how to have fun, and unlike most people, was as honest and blunt as i usually am when we talked, gotta respect that).

we went to the party, registered, said hello to a couple of cisco employees who knew who each and every one of us was (bouncers), a club bouncer, and entered the party. one of many community fun after-parties that come with these conferences.

so far so good. cisco was fun and the party was great. mike spoke with many cisco guys (no hard feelings on either side, it seems, we’re all in the same industry) and we even got our pictures taken together.

a nice older lady, who kept smiling, stood with us in line as we got into the party, etc. was known to us as a reporter. i was next to mike when he said “hello, how are you?” and moved on, not looking to talk with the press yet still being polite.

she watched as mike signed his name.

then, she released this tabloid-like article on, and i quote:
“juniper researcher michael lynn crashes cisco party at black hat”

further:
“the invite-only party last night that cisco held at a nightclub for black hat conference attendees was crashed by security researcher michael lynn, who last year was sued by cisco for revealing a serious flaw in cisco routers.”

and before i get too annoyed, last quote:
“along with some friends, michael lynn, who now works for cisco rival juniper networks, evaded the security checks cisco had put in place for the party, which included a name check and legal identification. lynn and his friends, declaring “cisco owes us a drink,” gleefully posed in front of a cisco sign inside the pure nightclub. once aware the lynn entourage had crashed the party, cisco employees took it in stride.”

not any usual tabloid though, no sir. this was at network world. you can read this article, if you can call it that, here:
http://www.networkworld.com/news/2006/080306-lynn-cisco-black-hat.html

inventing a story for fun? trying to get mike into trouble? whatever her game is, this was just low.

there were at least six other reporters there, non of them did this. she did.
ellen messmer, thank you.

as a side-note, that same evening we went in a limo to the zdi party, thumbs-up to tipping point (“a division of 3com”) for the great party! and for fx for knowing how to have fun!

gadi evron,
ge@beyondsecurity.com.

“i met my wife on your captcha!!!” — steve, from new york

this is hillarious. go prove you are a red-blooded male or female rather than a green blooded vulcan (of course, i do mean bot). hot captcha, at your service.

http://www.hotcaptcha.com/

and, well, it works.

the pics seem to repeat themselves though, so i suspect they can be beaten rather easily. they use hotornot though, so it should be nothing less than brilliant!

this is an excuse to put up another picture of a hot girl from hot or not:

gadi evron,
ge@beyondsecurity.com.

A security consultant working for the FBI, got a hold of Robert Mueller’s password because he, and I quote: “[he wanted] avoid bureaucratic obstacles and better help the FBI install its new computer system”. Good thing for Robert, now he no longer has to remember that pesky password, he can call Joseph Thomas Colon – the consultant – and ask him what is password is.. I comic strip in the making (hint hint).

Everyone probably remembers Microsoft’s Netscape Engineers are Weenies, a new hidden message was recently uncovered in IBM’s Wimbledon grand slam XML scoreboard XML. Unlike Microsoft’s humor, IBM’s humor revolves around using a “Napoleon Dynamite” quote to encrypt data.

You can read more about this here.

apparently these guys really hate it. probably their parents don’t allow them to view porn, or their school doesn’t allow them to go to warez sites.

in securiteam we get a lot of comments and requests for help from school kids trying to bypass websense to enter anonymizers, etc. so when i came across this video of “jay-walking” about how much websense sucks, i had to share.

is this too much of a private joke? sorry then.

personally i strongly oppose internet censorship. i strongly support everyone allowing whatever they want on their own networks.

here is the flic:
http://www.youtube.com/watch?v=gymeb4m23u8&search=websense

gadi evron,
ge@beyondsecurity.com.

someone just directed me to this url: http://www.spam-blocker-resource.com/

basically, the guy noticed a guy with a laptop, as there are no other laptop users in his building complex he got suspicious and loaded up his “trusty sniffer”. he saw the guy spamming many blogs.

here is a picture from the post:

he disconnected his wireless, ran to his car and followed the spammer home. question is, without breaking the law or crossing the line (“the spammers are breeding!” – the spammer has kids) how does he get him back?

the guy fears retribution (which is why he put this post anonymously somewhere else), but erm, i bet the spammer knows where he lives, right?

it’s a cute post with pictures. go see. go see.

speaking of which, our next door neighbors are a blog spamming company.. sorry, search engine optimization company (there’s actually legit companies who do that, but not many). those of us who smoke, smoke with them in the breaks. nice guys.

gadi evron,
ge@beyondsecurity.com.

nod32 protects your ass.

one of nod32′s european resellers recently had an amazingly ingenius marketing idea.

they get free marketing from me as well, they earned it!

hilarious! these guys should get a raise.

btw, in hebrew nod means fart.

click on the images for full size.

gadi evron,
ge@beyondsecurity.com.

You gotta love those hilarious security advisories:

Opera > 8.02 with torrent support can’t handle not enough space on drive

If your partition is full and u choose to save a torrent on this
partition opera will start using 100% of your cpu and momery and
eventually crash

Tested with opera 9 p 2

Our feel on this is that if you’re out of disk space, the least of your problems is Opera utilizing 100% of your CPU!

By the way, while we’re on the subject of making a fool of yourself, we did our share of the ‘sky is falling’ bit, too. But we’re professionals (well, we’ve had practice) so at least we did it with some style: We followed up with Ido’s non-existing Sendmail memory leak which got Eric Allman all worked out and ended it with a pointy cartoon. Yeah! finally a good fight. Hope it’ll last a least a mounth.

A final word to Ido: you’re new in the industry, aren’t you? Here, we don’t apologize for mistakes. We bury them in flamewars!

earlier today a surprising announcement came from the new full-dicklosure moderators. according to the announcement titled “cheap pr0n, we believe in it!”, the well known cestpool spammers list full-disklosure is undergoing facial reconstruction following their synergy with senunia.
“the first step in implementing the new changes is by making sure advisories will be sent to subscribers at the very least, 200 times. then, to ensure delivery, we will send it 100 more times”. other enhancements as reported by the new moderator, kiddiescript. “the list was recently declared pg-13. we don’t have the word ‘fuck’ on our posts, so we were able to dodge the x rating. shit, i guess we lost that now”.
in response to kiddie’s appointment, the old moderation crew went to their local pub.

the renowned researcher dave aitel said to us in an interview: “what? who told them about my latest gay shit 0day overflow?! it was to be used in the next super secret nsa worm!”

many other self-proclaimed security researchers also showed their amazement with this revolution “how will we get our pr0n now?! well, at least i hope they will revive the old guillotine” said the microsn0t msrc director.

in a press conference this afternoon, gadi evron, another self-proclaimed “expert” said: “i thank the committee for choosing me as the best fd spammer for the year of 2006 but i cannot accept this reward, as i believe i can do even better by the year’s end!”

in shocking surprise (or was it a surprising shock?), the us army remote viewing and psy-ops division came out with the following prediction:
“in the following weeks, there will be several email threads dominating the mailing list, starting with “sunshine sucks”, going through “yeah, we already knew dave sucks” and ending with an extremely unexpected thread on the moderation of the mailing list. the corps is mother. the corps is father. trust the corps.”

and now for the “facts”:
massive mail bombing hit the full-disclosure mailing list this morning. joe jobbing many known security professionals and vendors such as ilja van sprundel, gadi evron and idefense labs, forging their email addresses to send fake advisories declaring vulnerabilities in isc bind, sourcefire snort, microsoft products, vmware, “immunity dave aitel” and other applications.

as one of our readers put it:
“i’ve been trying to unsubscribe all morning, the server must be over-loaded relaying spam!”

the mail bomb is done from one machine:

received: from www.c0replay.net (unknown [206.251.72.74])
by lists.grok.org.uk (postfix) with esmtp id 3bf512123
for ;
sun, 12 mar 2006 07:27:17 +0000 (gmt)

www.c0replay.net, according to another reader, has interesting open ports. the server however is “known” according to some to serve a kiddies group.

arin whois information:

rtechhandle: du24-arin
rtechname: unfried, david
rtechphone: +1-909-727-5045
rtechemail: dru@linkline.com

orgabusehandle: linkl-arin
orgabusename: linkline communications
orgabusephone: +1-909-972-7118
orgabuseemail: abuse@linkline.com

orgnochandle: lcn3-arin
orgnocname: linkline communications noc
orgnocphone: +1-909-972-7118
orgnocemail: noc@linkline.com

orgtechhandle: mb1596-arin
orgtechname: benzakein, marc a
orgtechphone: +1-909-972-7111
orgtechemail: mbenz@linkline.com

(got anything to tell ren&stimpy? email us: rennstimpy@securiteam.com)

A colleague of mine once used a term that seemed very fitting to a particular security process. He termed it what it was, in my opinion: a disgrace. That’s hard to say seriously without immediately thinking of the company that has, in the security space, re-defined what it means to be a disgrace: Oracle.

Further, Larry Ellison has also provided us today with a re-definition of what it means to be in denial. Speaking of Oracle’s as-yet-unfinished Secure Enterprise Search product, Ellison says:

We have the security problem solved. That’s what we’re good at, and that’s the hard part of the problem.

I’ll allow you some time to recover. I sure needed it.

Newsflash, Larry: repeating it ten thousand times doesn’t make it true, and it doesn’t bode well for you that you appear to believe your customers are stupid. You have security solved about as well as most of your industry did five years ago.

And by the way… what planet/drug are you on? It seems like a nice, carefree place. You’ll have to show me around sometime.

If Oracle is good at security, I’d really hate to see something they’re not good at. Oracle’s “security process” today is the unquestioned laughing-stock of the entire software industry, and is a justification of lousy practices elsewhere. Whenever I ask tough questions about timelines and other continual problems at other shops, I hear: “Hey, don’t look at us! We could be like… Oracle.”

Oracle’s developers write and ship the buggiest software in the history of the human race and are, apparently, often at a loss for how to even fix their inenumerable screw-ups. This is evidenced by delays of hundreds of days (several years in the worst cases) , only to find fixes of such high standards of quality that they cause huge breakages in their attempt to fix hundreds of different flaws. The sad thing? These broken patches are probably the only good ones Oracle ever developed. We’ve seen so many reports of Oracle’s patches failing to fix the targeted vulnerability that such reports are taken as ordinary. If you can’t secure it, breaking it so badly that the vulnerable code is no longer functional is the cheap way out.

Further, now we’re supposed to believe that Oracle has security “solved” and that its customers are filled with joy by monstrous CPUs with hundreds (or thousands) of vulnerability fixes, with only about a 10% chance (or less) that the fix will actually work?

More perplexing is one more significant question: people are actually buying this?

It’s amazing that Oracle’s “Unbreakable Linux” campaign has made such a business of crap-peddling. I really don’t understand their success. After all, if any other commercial software vendor were to claim its software was unbreakable (especially after Oracle’s mockery of the term) it would likely draw a lot of gut-busting laughter and be out of business shortly thereafter. Somehow, Oracle has survived with only one of the two.

With as much success as Larry’s had in software, I’d love to see him move this unbreakable Linux campaign to stand-up comedy. I’m sure he’d have some wicked ratings.

this appears to be the very opposite of security by obscurity.

call attention to yourself by being a stinky, smelly foul-looking… thing.

would you hide your money/valuables in this?

i love this idea, it is just cool. aside to cool… there is nothing much more to it in my opinion.
i might use it, but inside a safe. whichever the case it is just too obvious.

the first thing any kgb trainee learned (according to the movies) is that however much they would like to be inconspicuous by being the weirdo everybody looks at or by drawing attention in a way they think a person not hiding would act… you just.. duh.. draw attention to you.

you want to be quiet, hidden and in the shadows? do just that.

cute idea, funny.. but in my opinion not very useful. we do learn from everything though and this is a good study in security:
1. generally, don’t draw attention to what you want hidden.
2. don’t assume the bad guys are not already on to you… if they start seeing soiled underwear in too many houses (or in the news), you are done. anything secure only by secrecy does not outlive the secret.

gadi evron,
ge@beyondsecurity.com.

[Ring]

“Hello?”

“Hi, Rob.”

“Oh, hi, Larry.”

“You busy?”

“Oh, reading through message logs for virus-related stuff like usual.”

“Geez, every time I call you’re always doing that! How much time do you put in on that every week, anyway?”

“Oh, about 60 hours altogether, I guess.”

“Rob, you know you’re wasting your time on that stuff. I mean, it may be interesting, and all that, but no one is ever going to care about it. How often do you see a virus on somebody’s machine, anyway?”

“Oh, it happens.”

“Yea, well … anyway, you got a minute?”

“Always time for my favorite brother-in-law. You still setting stuff up on your friend’s machine?”

“Yeah, and I need some more space. There’s a directory in Windows called TEMP and it has a whole bunch of files with .TMP extensions. Do I need them?”

“Nope. Like it indicates, they’re just temporary files that Windows hasn’t cleaned up when it finished with them. As long as Windows isn’t running, just dump ‘em.”

“OK, good. That’ll get me about a dozen megs. What about these files all over the place with .BK! extensions?”

“They’re WordPerfect backup files. If your friend doesn’t want them, you can get rid of them, too.”

“You mean I have to go through every directory and delete them?”

“No, you can do it more easily. Remember that SEEK program? Ask it to look for them and redirect the output to a file. That way you get a list of all the filenames with a full pathname, and you can edit the file into a batch file to delete them all.”

“Oh, OK, yeah, I can see that. Oh, by the way, I saw something strange just a minute ago. When I was rebooting the machine, right at the beginning it said ‘Your PC is now Stoned.’ Do you know why it did that?”

“Yes, as a matter of fact I can tell you exactly what it means, Larry. Your friend’s computer has a virus.”

It’s cold and gloomy outdoors. I’m feeling pretty faded (errr, jaded) right about now. I’m sure all you corporate hangers-on have seen the Big-whatever companies come in with their pen-testing or audit teams. Some of them call themselves pen-testing, some Tiger, some white-hat hacker, whatever. They should just state that they are inept p0sers. But, that gets me thinking (on just such a day) what it would take to get hired at one of these Big-whatever companies. So, without further adieu:

Rule 1 – You can’t run Windows. Seriously, don’t even consider showing up to a Con|interview|class|etc with Windows. Even if you have to run a CD distro, or OpenBSD at runlevel 3, you must do it. You will be scoffed at and not taken seriously with a Windows machine. For bonus points, put con stickers or anti-microsoft stickers on the laptop. You get extra bonus points if you’re running a MAC. Just pull up Safari and browse over to slashdot. Yeah, you’re rolling hardcore now.

Rule 2 – You must have complete and utter disdain for any authority figure. You’re the rebel – the misunderstood creative genius. Act the part.

Rule 3 – You must be a coder of some sort (‘Hello world’ is sufficient). Ruby and Python are pretty cool right now. C is an old standard and always well respected. If you’re running one of those GUI APIs that really makes things much easier, STOP. It’s not cool. gcc or death.

Rule 4 – You’ll have to be a Goth, punk, or (less bonus points) a long-hair. You must dress and look the part. Yes, Dave Aitel showed up to Defcon wearing a shirt and tie…but, hey, he’s Dave. If you’re not Dave, you have to look like a meth junkie, sorry. There *are* bonus points for piercings and tattoos.

Rule 5 – On some elite mailing list, you must have gotten a wink (both ‘;)’ and ‘;-)’ are acceptable) from some security guru. !wink == !cool (incidentally, I just satisfied rule 3 – Go me!)

Rule 6 – You must have a ‘Niche skill’. Not only must you have the niche skill, you must talk about it a LOT. Certain skills are worth more than others, so I’ll do a quick rundown on which skills generate the most bonus points. If it’s not on this list, then it’s worth negative points and you should avoid it at all cost.

Reversing – Crank up IDA Pro, put on that “I’m so busy doing really, really important reversing that you dare not ask me any questions” look and watch those bonus points ROLL IN!

Writing exploits or shellcode – Still very cool. Try to be seen with either a .s file open (use vi editor, don’t make the mistake of using emacs or pico or, G-d forbid, a GUI editor) or gdb. In a crunch, you can have a .c file open, but don’t make it a habit. You’ll need to work on that “don’t bother me look”, lest someone ask you wtf you’re doing.

Fuzzing – Do NOT tell anyone that you use a commercial or open-source fuzzer. That’s like -500 bonus points. No, my friend, you write your own fuzzers. “Yeah, cuz like, SPIKE wasn’t doing enough pairwise-relationships between parameters so I had to like, write my own fuzzer that took advantage of like binary relations across multiple fields and stuff and like, I’d explain it to you but it’s really complicated and like …” ad infinitum.

TCP/IP Ninja – Really low on the spectrum. It used to be really cool but now, unless your name is Kaminsky, you’re not really getting much spin with this one. Maybe when people figure out that there are still bugs to be found at layers 2,3, and 4 of the stack this will get some rejuvenation…but, until then, I don’t recommend this one.

Rule 7 – You must be the project owner of some arbitrary project… Have some pet project that you supposedly work on all hours of the night. Send out emails at all hours of the night (use cron if you have to) telling your boss that you have a great idea for some cool new reversing/fuzzing/exploiting-shellcode_generating-morphing-inline-tcp-ip-ninja-death-ray machine that you are working on. If they ever ask to see a working demo, take the coders moral high road (i.e. make up some reason why you are so elite that you dare not try the tool until you’ve tweaked out some bugs…or whatever)

Rule 8 – Coherent statements are not for you. That’s right, even if you have to go back and add in typos, do it. I should probably give a few examples.

Bad email – Good evening Mister Jones, I was just working on my project for that Death Ray auto-pen-testing machine and wondered if you had any feedback regarding how we would handle shellcode delivery across SCADA or process control networks. Further, as I am putting in so much time with this project, I may need to be a little late tomorrow morning.

Good email – hey. so, im rewrking the shellcode delivrey mechanism for teh scada and pc networks and if you had anyhthing to add before I commit thes to CVS then can you shoot me an email. I might be in late tomorrow depeending on how son I get thes bugs worked out.

That’s about it. Good luck, I’m sure I’ll be seeing you soon.

!Dmitry

In a recent DD thread there was a discussion on the fonts vulnerability.

Apparently Piotr Bania discovered the same vulnerability eEye did and started working on an advisory when Microsoft released the patch.

We feel sorry for Piotr as he is a great guy, still, as he himself admitted there is no glory for coming in second.

Marc Maiffret was pretty decent about it too, and agreed that it was a shame, but still, eEye released it first.

So far so good… except for the fact these guys just don’t know when to stop!

“You’re cool.”
“No, you’re cool.”
“You are cooler.”
“No, you are cooler.”
“Nahh, you are so much cooler.”
“No way dude, you are the best.”

Come on guys, we can’t tell you apart anymore from so much mutua.. err.. we will use a big word.. erm… bilateral ass-kissing!

(got anything to tell Ren&Stimpy? Email us: rennstimpy@securiteam.com)

in a recent bugtraq post gadi evron (admittedly, also a blogger here) wrote about community standards and how “we as an industry” got used to lousy service from vendors when it comes to timely patches or high levels of false positives.

word.

he had some good points and clarified them in a later bugtraq post, as well as in his blog. but…

who cares?!
he compared us to ~@!q#!~!~@@$ toads!
what’s that all about?

good points or not… burn!
thor (hammer of god) replied, completely burying Sunshine. yeah, we love our fellow blogger, all for one, fellowship of the ring and all but thor – that is da shit!

burn!

so sunshine, how does it feel to get smacked with a hammer from god?

thor’s cool post can be found here. thor definitely gets our thumbs up! for improving buggytraq(*) this month.

burn!
we all love meaningful replies with the main idea of “you suck. you should not write what you wrote, and therefore i will post this, coz you did. but should not. and then i posted …”. anyways, Sunshine was completely “humbled” by this flame (or in other words, stfu). finally some good flames on bugtraq. since fd became moderated (almost :p) bugtraq’s moderation could not resist the hammer of god’s strike.

now Sunshine – you know we love ya, but hey man, quit while you’re ahead. you’re not supposed to actually answer thor!
boring.

may that be the beginning of cool flame wars on bugtraq. now that n3td3v is fading out and gobbles is gone, our little space is getting boring…

kudos to Sunshine for being a sport and not getting mad about this post. but here’s a suggestion for you: take our advice and stay quiet for a while of course, except for this blog.

(*) credit goes to larry seltzer for this perfect name/description. what’s with all the out of office messages? recent count showed there are more ooo bounces than actual bugtraq subscribers.

(got anything to tell ren&stimpy? email us: rennstimpy@securiteam.com)

MyFriendAdder.com now promotes a service for ONLY 9.0$ that will allow you to add hundreds if not thousands of new friends to Myspace. Moreover, they promise to give you The Ultimate Tool for Myspace.com Success!

In one of their examples a Myspace web site is quoted to have 29,409,957 friends wow… I didn’t know there were so many Myspace users out there …

I guess this was bound to happen, first comes the worm, quickly followed by fraudsters.