Wikipedia Abused in a Nigerian Scam [updated]

apparently, this guy spammed himself and referred to a wikipedia article he created to give himself credibility.

cute! :)

phishing by wikipedia? the admins will probably notice this soon and remove it, but if this becomes as common-place as comment spam has, i am not sure they can handle the over-head. this is about money, and the bad guys make a lot.

it’s also possible this is a joe job on someone real.

the entry in wikipedia appears to be about a real person related to organized crime. i wonder why he of all people was chosen to be used in this scam?

hello dear friend!!!
vladimir ivanov (vladimir ivanov)
today 18:11:52


Wireless not working? go Wired

I arrived at Ataturk Airport (for those who don’t know its located in Turkey), and found out their Wireless network is worth … wait it … shit … You can hardly get a signal, I stood near the Free Wireless Access(tm) sign and got less than 15% signal, frustrated, I decided to go the extra mile.

The Turks are really nice, they provide Internet access points to people sitting in the travelers lounge, these Internet access points are connected via Ethernet. I decided to give it a shot and plugged my laptop to the socket… damn, nothing … most have a sophisticated IDS/IPS/ACL/NOC/[Insert buzzword] device blocking me. Not yet ready to lose the war… was I at war? :) … I decided to issue this command:
ifconfig eth0 hw ether XX:XX:XX:XX:XX:XX

Where I replaced the XX:XX:XX:XX:XX:XX with the MAC address of the Internet access point which I sniffed using Wireshark ™ – known in the past as Ethereal – and voula, “free” Ethernet based access to the network… though wired :(

I am sure the guys at the security department were telling jokes, think of the poor bastard that will plug his laptop and see that it won’t work … mohahaa…, but hey, I guess you need to get smarter, MAC address are no means of detecting the remote computer’s identity :)

That is it for now. C’ya


Copyright in a packet

Can you tell who wrote this poem?

Everybody follows
Speedy bits exchange
Stars await to glow”

You’re right!
Oracle JDBC Client programmers.

I was sniffing my network and encountered this poem in the RAW bytes of one of Oracle’s JDBC logon packets.

The RAW bytes of the packet (Data is in Hex; on the right ASCII translation):

22 4f 72 “Or
61 63 6c 65 0a 45 76 65 72 79 62 6f 64 79 20 66 acle.Everybody f
6f 6c 6c 6f 77 73 0a 53 70 65 65 64 79 20 62 69 ollows.Speedy bi
74 73 20 65 78 63 68 61 6e 67 65 0a 53 74 61 72 ts exchange.Star
73 20 61 77 61 69 74 20 74 6f 20 67 6c 40 6f 77 s await to gl@ow
22 0a 54 68 65 20 70 72 65 63 65 64 69 6e 67 20 “.The preceding
6b 65 79 20 69 73 20 63 6f 70 79 72 69 67 68 74 key is copyright
65 64 20 62 79 20 4f 72 61 63 6c 65 20 43 6f 72 ed by Oracle Cor
70 6f 72 61 74 69 6f 6e 2e 0a 44 75 70 6c 40 69 poration..Dupl@i
63 61 74 69 6f 6e 20 6f 66 20 74 68 69 73 20 6b cation of this k
65 79 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 ey is not allowe
64 20 77 69 74 68 6f 75 74 20 70 65 72 6d 69 73 d without permis
73 69 6f 6e 0a 66 72 6f 6d 20 4f 72 61 63 6c 31 sion.from Oracl1
65 20 43 6f 72 70 6f 72 61 74 69 6f 6e 2e 20 43 e Corporation. C
6f 70 79 72 69 67 68 74 20 32 30 30 33 20 4f 72 opyright 2003 Or
61 63 6c 65 20 43 6f 72 70 6f 72 61 74 69 6f 6e acle Corporation

As you can see – the packet, belonging to our corporate world, had a Copyright mark, just after the poem.

“The preceding key is copyrighted by Oracle Corporation.
Duplication of this key is not allowed without permission
from Oracle Corporation. Copyright 2003 Oracle Corporation”

Well, what next?.. Harry Potter on P2P packets or maybe Copyrighted MD5s?

Live long and prosper,

Kfir Damari,


Courtney Love explains BGP

it is not often we get to have some fun while dealing with the realm of bgp. that said, you can get a good rotfl and learn from this surprisingly informative post:

if you like, look for other posts there, such as “don king on ip access lists” or “gary coleman on priority queuing”. whatever you do, read this. :)

have fun. :)

thank to twi for this link.

gadi evron,


BlackHat USA 2006 Scandal with Michael Lynn? Not Quite.

yesterday (now two days ago), fx, mumpi (see, i remember!), nicole, dan kaminsky and myself went to the cisco black hat party. with us was the ciscogate renowned michael lynn.
we were fx’s guests, as he kindly invited us (great guy who knows how to have fun, and unlike most people, was as honest and blunt as i usually am when we talked, gotta respect that).

we went to the party, registered, said hello to a couple of cisco employees who knew who each and every one of us was (bouncers), a club bouncer, and entered the party. one of many community fun after-parties that come with these conferences.

so far so good. cisco was fun and the party was great. mike spoke with many cisco guys (no hard feelings on either side, it seems, we’re all in the same industry) and we even got our pictures taken together.

a nice older lady, who kept smiling, stood with us in line as we got into the party, etc. was known to us as a reporter. i was next to mike when he said “hello, how are you?” and moved on, not looking to talk with the press yet still being polite.

she watched as mike signed his name.

then, she released this tabloid-like article on, and i quote:
“juniper researcher michael lynn crashes cisco party at black hat”

“the invite-only party last night that cisco held at a nightclub for black hat conference attendees was crashed by security researcher michael lynn, who last year was sued by cisco for revealing a serious flaw in cisco routers.”

and before i get too annoyed, last quote:
“along with some friends, michael lynn, who now works for cisco rival juniper networks, evaded the security checks cisco had put in place for the party, which included a name check and legal identification. lynn and his friends, declaring “cisco owes us a drink,” gleefully posed in front of a cisco sign inside the pure nightclub. once aware the lynn entourage had crashed the party, cisco employees took it in stride.”

not any usual tabloid though, no sir. this was at network world. you can read this article, if you can call it that, here:

inventing a story for fun? trying to get mike into trouble? whatever her game is, this was just low.

there were at least six other reporters there, non of them did this. she did.
ellen messmer, thank you.

as a side-note, that same evening we went in a limo to the zdi party, thumbs-up to tipping point (“a division of 3com”) for the great party! and for fx for knowing how to have fun!

gadi evron,


HotCaptcha: Wrong! Die, bot, die.

“i met my wife on your captcha!!!” — steve, from new york

this is hillarious. go prove you are a red-blooded male or female rather than a green blooded vulcan (of course, i do mean bot). hot captcha, at your service.

and, well, it works.

the pics seem to repeat themselves though, so i suspect they can be beaten rather easily. they use hotornot though, so it should be nothing less than brilliant!

this is an excuse to put up another picture of a hot girl from hot or not:

gadi evron,


Consultant takes out the hassle of remembering password

A security consultant working for the FBI, got a hold of Robert Mueller’s password because he, and I quote: “[he wanted] avoid bureaucratic obstacles and better help the FBI install its new computer system”. Good thing for Robert, now he no longer has to remember that pesky password, he can call Joseph Thomas Colon – the consultant – and ask him what is password is.. I comic strip in the making (hint hint).


IBM version’s Netscape Engineers are Weenies (i.e. Easter Egg)

Everyone probably remembers Microsoft’s Netscape Engineers are Weenies, a new hidden message was recently uncovered in IBM’s Wimbledon grand slam XML scoreboard XML. Unlike Microsoft’s humor, IBM’s humor revolves around using a “Napoleon Dynamite” quote to encrypt data.

You can read more about this here.


Internet Censorship, Websense and YOU

apparently these guys really hate it. probably their parents don’t allow them to view porn, or their school doesn’t allow them to go to warez sites.

in securiteam we get a lot of comments and requests for help from school kids trying to bypass websense to enter anonymizers, etc. so when i came across this video of “jay-walking” about how much websense sucks, i had to share.

is this too much of a private joke? sorry then. :)

personally i strongly oppose internet censorship. i strongly support everyone allowing whatever they want on their own networks.

here is the flic:

gadi evron,


Blog Spammer Caught. Now What?

someone just directed me to this url:

basically, the guy noticed a guy with a laptop, as there are no other laptop users in his building complex he got suspicious and loaded up his “trusty sniffer”. he saw the guy spamming many blogs.

here is a picture from the post:

he disconnected his wireless, ran to his car and followed the spammer home. question is, without breaking the law or crossing the line (“the spammers are breeding!” – the spammer has kids) how does he get him back?

the guy fears retribution (which is why he put this post anonymously somewhere else), but erm, i bet the spammer knows where he lives, right? :)

it’s a cute post with pictures. go see. go see.

speaking of which, our next door neighbors are a blog spamming company.. sorry, search engine optimization company (there’s actually legit companies who do that, but not many). those of us who smoke, smoke with them in the breaks. nice guys.

gadi evron,


Hilarious: 32 Farts are Better than One!

nod32 protects your ass. :)

one of nod32′s european resellers recently had an amazingly ingenius marketing idea.

they get free marketing from me as well, they earned it!

hilarious! these guys should get a raise.

btw, in hebrew nod means fart. :)

click on the images for full size.

gadi evron,


Code Red: Opera Cannot Handle Insufficent Disk Space and the SecuriTeam vs. Sendmail armed conflict

You gotta love those hilarious security advisories:

Opera > 8.02 with torrent support can’t handle not enough space on drive

If your partition is full and u choose to save a torrent on this
partition opera will start using 100% of your cpu and momery and
eventually crash

Tested with opera 9 p 2

Our feel on this is that if you’re out of disk space, the least of your problems is Opera utilizing 100% of your CPU!

By the way, while we’re on the subject of making a fool of yourself, we did our share of the ‘sky is falling’ bit, too. But we’re professionals (well, we’ve had practice) so at least we did it with some style: We followed up with Ido’s non-existing Sendmail memory leak which got Eric Allman all worked out and ended it with a pointy cartoon. Yeah! finally a good fight. Hope it’ll last a least a mounth.

A final word to Ido: you’re new in the industry, aren’t you? Here, we don’t apologize for mistakes. We bury them in flamewars!


Full-Disclosure to be rated PG-13

earlier today a surprising announcement came from the new full-dicklosure moderators. according to the announcement titled “cheap pr0n, we believe in it!”, the well known cestpool spammers list full-disklosure is undergoing facial reconstruction following their synergy with senunia.
“the first step in implementing the new changes is by making sure advisories will be sent to subscribers at the very least, 200 times. then, to ensure delivery, we will send it 100 more times”. other enhancements as reported by the new moderator, kiddiescript. “the list was recently declared pg-13. we don’t have the word ‘fuck’ on our posts, so we were able to dodge the x rating. shit, i guess we lost that now”.
in response to kiddie’s appointment, the old moderation crew went to their local pub.

the renowned researcher dave aitel said to us in an interview: “what? who told them about my latest gay shit 0day overflow?! it was to be used in the next super secret nsa worm!”

many other self-proclaimed security researchers also showed their amazement with this revolution “how will we get our pr0n now?! well, at least i hope they will revive the old guillotine” said the microsn0t msrc director.

in a press conference this afternoon, gadi evron, another self-proclaimed “expert” said: “i thank the committee for choosing me as the best fd spammer for the year of 2006 but i cannot accept this reward, as i believe i can do even better by the year’s end!”

in shocking surprise (or was it a surprising shock?), the us army remote viewing and psy-ops division came out with the following prediction:
“in the following weeks, there will be several email threads dominating the mailing list, starting with “sunshine sucks”, going through “yeah, we already knew dave sucks” and ending with an extremely unexpected thread on the moderation of the mailing list. the corps is mother. the corps is father. trust the corps.”

and now for the “facts”:
massive mail bombing hit the full-disclosure mailing list this morning. joe jobbing many known security professionals and vendors such as ilja van sprundel, gadi evron and idefense labs, forging their email addresses to send fake advisories declaring vulnerabilities in isc bind, sourcefire snort, microsoft products, vmware, “immunity dave aitel” and other applications.

as one of our readers put it:
“i’ve been trying to unsubscribe all morning, the server must be over-loaded relaying spam!”

the mail bomb is done from one machine:

received: from (unknown [])
by (postfix) with esmtp id 3bf512123
for ;
sun, 12 mar 2006 07:27:17 +0000 (gmt), according to another reader, has interesting open ports. the server however is “known” according to some to serve a kiddies group.

arin whois information:

rtechhandle: du24-arin
rtechname: unfried, david
rtechphone: +1-909-727-5045

orgabusehandle: linkl-arin
orgabusename: linkline communications
orgabusephone: +1-909-972-7118

orgnochandle: lcn3-arin
orgnocname: linkline communications noc
orgnocphone: +1-909-972-7118

orgtechhandle: mb1596-arin
orgtechname: benzakein, marc a
orgtechphone: +1-909-972-7111

(got anything to tell ren&stimpy? email us:


Oracle Secure Search: The World’s Greatest Paradox?

A colleague of mine once used a term that seemed very fitting to a particular security process. He termed it what it was, in my opinion: a disgrace. That’s hard to say seriously without immediately thinking of the company that has, in the security space, re-defined what it means to be a disgrace: Oracle.

Further, Larry Ellison has also provided us today with a re-definition of what it means to be in denial. Speaking of Oracle’s as-yet-unfinished Secure Enterprise Search product, Ellison says:

We have the security problem solved. That’s what we’re good at, and that’s the hard part of the problem.

I’ll allow you some time to recover. I sure needed it.

Newsflash, Larry: repeating it ten thousand times doesn’t make it true, and it doesn’t bode well for you that you appear to believe your customers are stupid. You have security solved about as well as most of your industry did five years ago.

And by the way… what planet/drug are you on? It seems like a nice, carefree place. You’ll have to show me around sometime.

If Oracle is good at security, I’d really hate to see something they’re not good at. Oracle’s “security process” today is the unquestioned laughing-stock of the entire software industry, and is a justification of lousy practices elsewhere. Whenever I ask tough questions about timelines and other continual problems at other shops, I hear: “Hey, don’t look at us! We could be like… Oracle.”

Oracle’s developers write and ship the buggiest software in the history of the human race and are, apparently, often at a loss for how to even fix their inenumerable screw-ups. This is evidenced by delays of hundreds of days (several years in the worst cases) , only to find fixes of such high standards of quality that they cause huge breakages in their attempt to fix hundreds of different flaws. The sad thing? These broken patches are probably the only good ones Oracle ever developed. We’ve seen so many reports of Oracle’s patches failing to fix the targeted vulnerability that such reports are taken as ordinary. If you can’t secure it, breaking it so badly that the vulnerable code is no longer functional is the cheap way out.

Further, now we’re supposed to believe that Oracle has security “solved” and that its customers are filled with joy by monstrous CPUs with hundreds (or thousands) of vulnerability fixes, with only about a 10% chance (or less) that the fix will actually work?

More perplexing is one more significant question: people are actually buying this?

It’s amazing that Oracle’s “Unbreakable Linux” campaign has made such a business of crap-peddling. I really don’t understand their success. After all, if any other commercial software vendor were to claim its software was unbreakable (especially after Oracle’s mockery of the term) it would likely draw a lot of gut-busting laughter and be out of business shortly thereafter. Somehow, Oracle has survived with only one of the two.

With as much success as Larry’s had in software, I’d love to see him move this unbreakable Linux campaign to stand-up comedy. I’m sure he’d have some wicked ratings.


Security by obscruity or just an old trick from the movies?

this appears to be the very opposite of security by obscurity.

call attention to yourself by being a stinky, smelly foul-looking… thing.

would you hide your money/valuables in this?

i love this idea, it is just cool. aside to cool… there is nothing much more to it in my opinion.
i might use it, but inside a safe. whichever the case it is just too obvious.

the first thing any kgb trainee learned (according to the movies) is that however much they would like to be inconspicuous by being the weirdo everybody looks at or by drawing attention in a way they think a person not hiding would act… you just.. duh.. draw attention to you.

you want to be quiet, hidden and in the shadows? do just that.

cute idea, funny.. but in my opinion not very useful. we do learn from everything though and this is a good study in security:
1. generally, don’t draw attention to what you want hidden.
2. don’t assume the bad guys are not already on to you… if they start seeing soiled underwear in too many houses (or in the news), you are done. anything secure only by secrecy does not outlive the secret.

gadi evron,


Memoirs of a (relative) virus researcher



“Hi, Rob.”

“Oh, hi, Larry.”

“You busy?”

“Oh, reading through message logs for virus-related stuff like usual.”

“Geez, every time I call you’re always doing that! How much time do you put in on that every week, anyway?”

“Oh, about 60 hours altogether, I guess.”

“Rob, you know you’re wasting your time on that stuff. I mean, it may be interesting, and all that, but no one is ever going to care about it. How often do you see a virus on somebody’s machine, anyway?”

“Oh, it happens.”

“Yea, well … anyway, you got a minute?”

“Always time for my favorite brother-in-law. You still setting stuff up on your friend’s machine?”

“Yeah, and I need some more space. There’s a directory in Windows called TEMP and it has a whole bunch of files with .TMP extensions. Do I need them?”

“Nope. Like it indicates, they’re just temporary files that Windows hasn’t cleaned up when it finished with them. As long as Windows isn’t running, just dump ‘em.”

“OK, good. That’ll get me about a dozen megs. What about these files all over the place with .BK! extensions?”

“They’re WordPerfect backup files. If your friend doesn’t want them, you can get rid of them, too.”

“You mean I have to go through every directory and delete them?”

“No, you can do it more easily. Remember that SEEK program? Ask it to look for them and redirect the output to a file. That way you get a list of all the filenames with a full pathname, and you can edit the file into a batch file to delete them all.”

“Oh, OK, yeah, I can see that. Oh, by the way, I saw something strange just a minute ago. When I was rebooting the machine, right at the beginning it said ‘Your PC is now Stoned.’ Do you know why it did that?”

“Yes, as a matter of fact I can tell you exactly what it means, Larry. Your friend’s computer has a virus.”