Trust me, I didn’t look right as I typed this …

‘Lying eyes’ are a myth – looking to the right DOESN’T mean you are fibbing.

“Many psychologists believe that when a person looks up to their right they are
likely to be telling a lie.  Glancing up to the left, on the other hand, is said to
indicate honesty.

“Co-author Dr Caroline Watt, from the University of Edinburgh, said: ‘A large
percentage of the public believes that certain eye movements are a sign of lying,
and this idea is even taught in organisational training courses. … The claimed link
between lying and eye movements is a key element of neuro-linguistic
programming.

“According to the theory, when right-handed people look up to their right they
are likely to be visualising a ‘constructed’ or imagined event.  In contrast when
they look to their left they are likely to be visualising a ‘remembered’ memory.
For this reason, when liars are constructing their own version of the truth, they
tend to look to the right.”

“Psychologist Prof Wiseman, from the University of Hertfordshire, said: ‘The
results of the first study revealed no relationship between lying and eye
movements, and the second showed that telling people about the claims made by
NLP practitioners did not improve their lie detection skills.’

However, this study raises a much more serious question.  These types of “skills” are being extensively taught (and sought) by law enforcement and other agencies.  How many investigations are being misdirected and delayed by false suppositions based on NLP “techniques”?  More disturbingly, how many people are being falsely accused, dismissed, or charged due to the same questionable “information”?  (As I keep telling my seminars, when you get sidetracked into pursuing the wrong suspect, the real culprit is getting away free.)

(I guess we’ll have to stop watching “The Mentalist” now …)

Share

LinkedIn as a recruitment resource

I’m working on an article about the risks in social networking right now, and I’ve come across yet another blog posting about how to use LinkedIn (and Facebook, and Twitter, etc.) to look for job candidates.

I’ve never quite been able to figure out the attraction of using LinkeDin as a source of employment candidates.  The one thing you know about active socnet users is that they are active socnet users.  If you are at all concerned about your employees wasting time at work, you know right off the top that this is a person who will do that.

Of course, if your company is trying to “get into” the socnet world, you might think this is a good thing.  But it’s quite a leap of faith to think they would do it for you, rather than themselves.

(For us in infosec, there would be the added concern that this person is either telling way too much about themselves, or “tailoring” the facts.  So you either have a failure of confidentiality, or integrity.)

Share

Interview with Charlie Miller

For those of you who don’t know who Charlie Miller is (really, you don’t? Maybe it’s time to get out from under the pile of paperwork for a change then.) He’s the guy who’s managed to pwn 3 Apple products at Pwn2Pwn over the last three consecutive years. I got to thinking recently, and the last person that I interviewed for the SecuriTeam Blogs was Fyodor, and that feels like a lifetime ago! So I dropped Charlie a line to see if he’d be up for it, and thankfully he was.

xyberpix: How and what got you get started in vulnerability discovery?

0xcharlie: It was back at the NSA so I can’t really talk about it.  But I really like the concept of vulnerability analysis.  Its slightly adversarial in nature.  Smart people write software and I have to try to find mistakes that they’ve made.

Also,it appeals to me in the same way that collecting baseball cards does to people.  I like having a bunch of bugs that only I know about.  There is something intellectually satisfying about that.

xyberpix: What made you pick OS X as what seems to be your primary target?

0xcharlie: I had never owned, or really even used, a Mac until I started at ISE 4 years ago. ISE got me a Mac as my primary computer since that is the standard company issue. We also had some clients that were interested in Macs and OS X so I was forced to learn a bit about how they worked.  So I was in a position to play with a Mac, which I actually learned to like once I got used to it.  I quickly found it was rather easy to find bugs in it and I like to go after the easy targets.  Another thing is I take joy in ruining the day of the fanboys.  One interesting point is that exploitation is very OS (and even application) dependent, but vulnerability analysis is basically OS independent.

xyberpix: What tools do you typically use to find bugs on OS X?

0xcharlie: Mostly home brewed fuzzers.  But I also do source code analysis when available and occasionally reverse engineering.

xyberpix: What does your testing setup consist of for vulnerability research?

0xcharlie: I have a Win XP box with IDA Pro on it.  I also use this box for Windows bug hunting, so it has a bunch of debuggers (Olly, WinDbg, ImmDbg), hex editors and stuff on it.  I have an old Linux box that I mostly use for Source Navigator.  I also have a bunch of Macs, obviously.  My main computer is a 4 year old MacBook. Its got everything I need on it as well as every bug or exploit I’ve written at ISE. It also has various fuzzers I’ve written (Python), bunches of fuzzed test cases, PyDbg, PaiMei, etc.

xyberpix: You’ve mentioned on Twitter recently that you have quite a few exploits for OS X, have you considered selling these, and if not, why not?

0xcharlie: No.  My employment contract forbids it.

xyberpix: As you have a stockpile of exploits for OS X, what made you choose to use the one that you did for Pwn2Pwn over the others?

0xcharlie: It was the easiest one to exploit.  As you’ve probably noticed, I’m basically lazy which is why I like fuzzing.

xyberpix: Will you be bringing out any more books in the near future?

0xcharlie: No plans at the moment.  Its a huge endeavor to take on.  At one point Dino Dai Zovi, Ralf-Phillip Weinmann (one of the iPhone Pwn2Own guys) and I were signed on to write an iPhone security book, which would have been pretty awesome, but it never materialized.

xyberpix: How’s it feel to have won Pwn2Pwn 3 years in a row now, and will you be going for 4?

0xcharlie: It felt a little anti-climatic actually.  It was way more fun the first year when it was a bit more of a surprise.  For the last month or two I’ve been saying I’m retiring after this Pwn2Own.  Its a lot of stress and the rules are always changing so its tough.  Also, Snow Leopard exploits are much harder to write than Leopard exploits, to the point it isn’t much fun.  But maybe I’ll reconsider next year. Call me the Brett Favre of hacking.

xyberpix: Have you thought of offering a training course to developers to teach them how to find bugs, if so would this be internationally available?

0xcharlie: Yes, I’ve thought about it.  Again, this would be a big time investment to develop the course which I’m too busy to undertake at the moment.  Of course, I work for a consulting company so if enough people throw money at them, they’ll make me do it!

xyberpix: How would you advise someone starting from scratch on how to identify vulnerabilities and write exploits for them?

0xcharlie: I get this question a lot and I don’t have a great answer for it.  I went to the NSA for 5 years but not many people have that option.  Make sure you understand C/C++, then assembly, then reverse engineering for starters.  For bug finding, find out about all the bugs that are being discussed and what they look like so you know what to look for.  Then start fuzzing and trying to triage all the crashes.  For writing exploits, find some good exploits and see how they work.  Then start trying to write some for known vulnerabilities or ones you’ve found.  If you’ve got the cash, take
Dino and Alex’s training course.  My main advice is to get your hands dirty and just jump in and do it.

xyberpix: On a scale of 1-10 how would you compare the skill level required to identify and exploit security vulnerabilities in the following Operating Systems Windows, OS X, Linux?

0xcharlie: This is one of the reasons its hard to get into this field these days.  10 years ago it took a skill level of 2, 5 years ago a skill level of 6 and now a skill level of 8 or 9.  As for the various OS’s I’d say something like a 9 for windows and an 8 for the others.

xyberpix: You started the No More Free Bugs Movement, what was/is your reasoning behind this, and have you had much success with selling vulnerabilities/exploits to the vendors? Would you say that the vendors are reacting positively or negatively to this?

0xcharlie: The idea was that finding bugs is hard work.  Big vendors have teams of researchers and QA people who are paid lots of money to find bugs.  So, on the rare event one slips by and puts their users at risk, vendors should be falling all over themselves to get this information and get fixes available for their customers.  Instead, they expect researchers to give them the bugs, deal with them, convince them the bugs are real, provide POC’s, take legal liability, etc and all for charity.  Well, as a professional consultant, I get paid to find bugs by our customers, so I started to wonder why my customers paid me and for the same work, vendors don’t.

As for what’s come out of it, hopefully researchers have begun to ask this question too.  I’d like to think I’ve helped ZDI to get more researchers participating, although I don’t know for sure.  Vendors pretty much ignore the whole NMFB’s
movement.  They only care about their bottom line and NMFB doesn’t affect it.  The only positive thing I’ve seen is someone from Mozilla recently said they were thinking of raising their bug bounty from $500 and wanted to know what I thought was a fair amount.  That made me happy.  Besides Mozilla, I’ve never heard of anyone who sold a bug to a vendor, although Chrome offers a program.

xyberpix: What do you feel the greatest risk to Web Browsers is at the moment, and why?

0xcharlie: Probably the biggest weakness is that web browsers are a big attack surface and the attacker has a lot of control.  The attack surface includes html, JavaScript, images, plugins (Java, Flash, Silverlight, etc).  Attackers can manipulate the heap using the languages at their disposal.  These make for a powerful combination for attackers.

xyberpix: What do you feel the greatest risk on the Internet is at this point in time, and why?

0xcharlie: The biggest risk is how companies store your personal information and then lose it. I can manage my own computer (most of the time) but when sites lose my info, I’m powerless to do anything about it (or prevent it).

xyberpix: If you were to give one bit of advice to developers that they’d all listen to, what would that be?

0xcharlie: Just to think defensively.  Every time you write a line of code or a function, think about ways bad guys might try to present data to it to cause an error.  Think about all the things that could go wrong and then you can think of ways to try to prevent them from happening.

xyberpix: You and Steve Jobs are sitting have a cup of coffee, tell me how how that conversation would go?

0xcharlie: Great question!  First I’d have to tell him who I was because he’d have no idea. I’d try to tell him that eventually this security thing is going to bite him in the ass when the malware authors notice enough Macs.  I’d then patiently listen to his explanation of why I’m wrong and how its going to all play out.  He’d probably convince me.  Finally, I’d bitch that iPad doesn’t have Flash.  Lame.

Thanks again to Charlie for taking the time out to answer these questions, it really is appreciated.

Share

Insecure Managazine – December Edition

It’s good to see that my challenge from yesterday to write a blog post a day for the next week seems to have got some people blogging on here again, so c’mon, let’s try and keep this up for the week.

If no-one’s ever read the INSECURE magazine before, then now is a great time to start reading them, and go through the back issues as well, as the information held within this magazine is usually really worthwhile.

To give you an overview of what’s contained within this months issue, here’s the index.

  • The future of AV: looking for the good while stopping the bad
  • Eight holes in Windows login controls
  • Extended validation and online security: EV SSL gets the green light
  • Interview with Giles Hogben, an expert on identity and authentication technologies working at ENISA
  • Web filtering in a Web 2.0 world
  • RSA Conference Europe 2008
  • The role of password management in compliance with the data protection act
  • Securing data beyond PCI in a SOA environment: best practices for advanced data protection
  • Three undocumented layers of the OSI model and their impact on security
  • Interview with Rich Mogull, founder of Securosis

You can download the magazine from here:

http://www.net-security.org/insecuremag.php
Hats off to the guys and girls at Net-Security for working so hard on a top quality magazine.

Update: Corrected link

Share

MPack’s Dream Coders Team being interviewed

Mr. Robert Lemos of SecurityFocus has released an IM interview of Dream Coders Team – a Russian team behind the MPack kit.

Link:
www.securityfocus.com/news/11476

It’s really worth of reading!

Share

The attacks on Estonia by Russians (or Russia?)

people have been wondering why i’ve been keeping quiet on this issue, especially since i was right there helping out.

a lot of people had information to share and emotions to get out of the way. also, it was really not my place reply on this – with all the work done by the estonians, my contributions were secondary. mr. alexander harrowell discussed this with me off mailing lists, and our discussions are public on his blog. information from bill woodcock on nanog was also sound.

as to what actually happened over there, more information should become available soon and i will send it here. i keep getting stuck when trying to write the post-mortem and attack/defense analysis as i keep hitting a stone wall i did not expect: strategy. suggestions for the future is also a part of that document, so i will speed it up with a more down-to-earth technical analysis (which is what i promised cert-ee).

in the past i’ve been able to consider information warfare as a part of a larger strategy, utilizing it as a weapon. i was able to think of impact and tools, not to mention (mostly) disconnected attacks and defenses.

i keep seeing strategy for the use in information warfare battles as i write this document on what happened in estonia, and i believe i need more time to explore this against my previous take on the issue, as well as take a look at some classics such as clausewitz, as posh as
it may sound.

thanks,

gadi evron,
ge@beyondsecurity.com.

Share

No Daddy, please stop! Fyodor’s words.

So after the takedown of seclists.org, and all the different points of view that were being aired, on the various web sites, I decided to contact Fyodor and ask him exactly what happened, and what’s going to happen in the future in regard to godaddy.com. Once again, thanks to Fyodor for taking the time to answer my questions.
The following is taken from an interview that I did with Fyodor last night, so here it is:

In your words could you please describe what happened to
seclists.org, I know that you have probably been asked this countless
times, but there are also countless sites that don’t mention your
point of view? Also, on these same sites, some are saying that you
had 60 seconds warning, others are saying 60 minutes, what’s the
exact figure?

Basically, GoDaddy suspended one of the domain names I had registered
with them based on a complaint by MySpace without giving me a chance
to respond or requiring any sort of court order from MySpace. GoDaddy
wasn’t even my ISP or web host. Policing web content of the 18
million domains in their registry is not their job. Worse, it was
extraordinarily hard and frustrating to reach them and get an actual
reason for the shutdown. I’ve described the shutdown in far more
detail at http://NoDaddy.Com .

As for the timing, they left me a voicemail at ’9:39:31 AM PST’
according to the time stamp from my voicemail provider. In the
voicemail, they say my domain is “scheduled for suspension”. Then at
’9:40:23′ (according to my time-synced mail server) they emailed me a
“Domain Suspension Notice” saying that my “domain names have been
suspended”. So they only gave me 52 seconds to respond to their
voicemail! Plus, their voicemail didn’t include a phone number to
reach them at! I have posted both the email and voicemail recording at
NoDaddy.Com.

GoDaddy nevertheless tried to claim that they gave me an hour of
notice. Their general counsel Christine Jones was caught by Wired in
that lie at
http://blog.wired.com/27bstroke6/2007/01/godaddy_defends.html .

Aside from nodaddy.com do you plan on taking any action, namely
legal, against godaddy.com?

They certainly deserve it, and some lawyers have offered to help. But
I haven’t even asked them for monetary restitution for the damage they
have caused — I just want them to change their policies to be more
customer-friendly. Or if they don’t, I want their behavior to be
well-known so that other consumers can make a better choice. So
unless they do something outrageous (such as sueing me for speaking
out against them on NoDaddy.Com), I’m not presently planning any legal
action against GoDaddy.
Will you be taking any action against myspace.com because of this
atrocity at all?

I would cancel my account if I was pathetic enough to have one :) .
They should have contacted me directly to remove the page. My email
address and phone number were availble on the public whois, and I also
watch the abuse@seclists.org email address for complaints about
illegal postings to the mailing lists. Ironically, GoDaddy shut down
the complaint email address when they shut down the whole doamin
SecLists.org.

So while MySpace made a mistake by sending the request directly to
GoDaddy, I hold GoDaddy much more culpable for agreeing to the
outrageous domain.

How much of an impact do you feel this had on the security
community in general?

I hope it has raised awarness of the problem of vigilante domain
registrars hijacking their customers’ domains because they find the
web content objectionable. This isn’t just a security community
issue, but an issue for all web sites. Particularly those which
accept user-generated content such as forum posts or blog comments.
My whole domain was shut down with no notice or reason immediately
given based on a 3rd party post I had nothing to do with.

How much of an impact has this had on your life?

It has kept me very busy for the last week. But I’m hoping it will
calm down so I can return to focusing the majority of my time to
maintaining Nmap and my web sites.

I know that it mentions this on nodaddy.com, but what can people
do to help on the nodaddy.com site?

The site is meant to be a community effort, so help is appreciated.
Here are some ideas:

o Forum Operator — If someone wants to start a web forum system where
uses can post their GoDaddy horror stores and seek advice, that
would be useful. We would be happy to provide a subdomain such as
forums.noddady.com for this.

o Webmaster help — If someone wants to help maintain the site content
(post new news stories, etc.), I would be happy for the help. They
need to know (or learn to use) the Subversion version detection system.

o Creative content, like cartoons, pictures for the “NoDaddy Girls”
contest, etc. The point of the site is to spread the word about
GoDaddy abuses, but also to have fun :) .

Last but not least, any new and exciting things coming along in the
next release of nmap that you’d be willing to share?

We are very excited about a new scripting language, which is already
in alpha stage. You can see our writeup here:

http://insecure.org/nmap/nse/

Also, we have received tons of user OS submissions for the second
generation OS detection system http://insecure.org/nmap/osdetect/,
so the next release should work even better in that respect.

Share

SecuriTeam Interview: LMH

November has been informally designated the “Month of Kernel Bugs” in security circles. The Month of Kernel Bugs began on November 1, with the publication of a vulnerability in Apple’s AirPort drivers. SecuriTeam blogs did an interview with LMH, who hosts the Month of Kernel Bugs project (aka MoKB); the text of our interview is below (after the jump).

(more…)

Share

Interview with Luigi Auriemma

For those of you who don’t know Luigi, he is the most respected computer games security researcher today. He regularly releases advisories reporting security holes in games, as well as in-depth analysis of network protocols and algorithms for these games.

SecuriTeam decided to conduct an interview with Luigi in order to learn more about him, and to show a part of the security world that is often overlooked.

Luigi’s native language is Italian, so please keep that in mind when reading the interview.

We would very much like to thank Luigi for the interview and for his quick response to our long list of questions.

First of all, can you tell us a little about yourself ?

Well, my name is Luigi, I’m 25 and live in Milan, Italy.
Most of the information about me is written on my website but the more important points are that I’m an atheist, I like freedom of information, games, finding security bugs, reversing and full-disclosure.
About my character, I’m often insecure, loner, unhappy and don’t have a well defined personality… oh and my memory is really very bad eh eh eh

How did you find your way to the bug/vulnerability research world ?

Simply trying. In 2001 I had a job which allowed me to stay all the time on the Internet (at that time I had a 56k modem at home and the connection cost a lot). Since then, I was very interested in security, and I started to follow the Bugtraq mailing-list.
After some time I decided to try to find bugs in some software just like the people on Bugtraq did, so I downloaded Apache for Windows (version 1.3.15 if I’m not mistaken) and tried to find a buffer-overflow using only notepad and netcat… after some tries I found something interesting, an off-by-one!
Usually there is nothing difficult in bug researching, the most important things are time and will (if you have that you already have the 99% of what you need).

Why do you research vulnerabilities in computer games, while most major bugs are in operating systems or infrastructure applications such as the recent WMF issue, or the latest MacOS-X vulnerabilities ?

I like to find bugs in games for several reasons. First, because it’s strange and rare to see security bugs in games so I have practically all the gaming world for my tests since it’s still a virgin field in security research.
Second, I like games! (I started to play games on Commodore 64, while programming arrived only recently with my interest in security) so it’s fun to find bugs in them.
And finally, games use proprietary protocols so this situation forces me to do other interesting research and make these algorithms available for public.
An example is Halo, if I didn’t reverse the encryption algorithm used for the packets, haloloop wouldn’t have existed.

Are there other vulnerability research fields that you are interested in besides computer games ?

Practically everything which is under my hands. Web and ftp servers, chat and instant messaging, multimedia players and encoders, mail clients and everything that has bugs.
I usually like to find unusual bugs (not necessarily critical) so games become important since their architecture allows a big range of strange vulnerabilities.

What do you think is the major risk involving security holes in games?

There are many risks and almost all are not actually caused by the bugs but by the attitude of some administrators and gamers.
First of all there is the absurd desire of the majority of the community to keep the holes and the information secret. It’s not uncommon to surf a web forum and see administrators ask for information about why their servers crashes and then to see that the forum moderator edit any replies in which someone refers to my website or similar research.
The same people who adopt this attitude are the ones that use the unofficial patches I create. I think that is a real shame.
Then there’s the problem of the software versions – for various reasons (server performance, amount of players and so on) many administrators and players use old and buggy game versions so they will continue to be vulnerable to all the public and undisclosed security bugs that were fixed silently in the recent patches.

Are you working in the field of security research or create computer games as your occupation ?

Oh no no, I don’t have an occupation in this field.
I would like a job in security only for increasing my knowledge but I don’t want my job and my passion to clash; my passion comes first.
About creating games, it was my dream when I was young.

As we all know, you like computer games :-) . What is the first thing that you are looking at, when you play a computer game?

I like the driving games a lot, so the first thing I look for is the game-play. It is not important if the game is an arcade or a simulation or has bad graphics since the only important thing is if I have the desire to play again with it later.

Which games are your personal favorites?

At the moment none, since I do not play with games enough right now.
Anyway I like to play online with Toca Race Driver (yes I know it’s full of security holes and game playing bugs!!!) and it’s the only game I play on the Internet.
Several months ago I started playing Downtown Race, a semi-unknown arcade racing game – very funny. There are other games that I don’t remember at the moment.
One game which is still and will always be in my memory is Unreal Tournament. It was the first game I played online and on a 56k modem with a horrible ping delay, it has a very interesting atmosphere.

What drives you to explore a certain game for bugs/security vulnerabilities ?

Lately the answer is only one: Windows 98SE as requirement and, naturally, multi-player support.
If this requirement is satisfied I launch the game client and server, sniff some packets, check if they contain something interesting and if I feel a certain inspiration I start to test the game.
Usually I try to write a fake player tool so that I’m forced to understand a bit about how the game protocol works and where it might contain flaws.
Otherwise I will do some quick in-game format string and buffer-overflow attempts just as minimal test.

Many vendors out there invented the term “responsible research” what’s your opinion?

Responsible research is the most false and misleading term I have ever heard.
There is nothing responsible in giving decisional power about the patching of a bug to the vendor, which usually means many months (it’s enough to read some advisories released by security companies)!
We must start from the idea that the underground already knows about the existed bugs, so responsible can only mean for the person/company to make these bugs public as soon as possible since leaving them unpatched for many months or years is totally insane.
Anyway there is another important thing under this term since it’s just like a weapon in the hands of the vendor.
Let me explain. Almost all the security companies adopt this type of research/disclosure which makes the vendors happy (they have all the time for fixing the bug or “not”) and the security companies too (they do this work for money so they gain partnerships, contracts and moreover visibility).
Now when an independent research finds and release a vulnerability under the full-disclosure philosophy or any other non (so called) “responsible” disclosure the vendor feels the right to pursue him since he think “why this stupid guy has not contacted or waited me for months before releasing this bug like the security companies do?”.

Why did you choose the GPL license to release all of your work?

Actually it’s the only license I know which gives freedom to both developers and users.
Only my proof-of-concept code is not released under GPL, they are just public.

Many computer users think that vulnerabilities and PoC code should not be released to public domain, and yet you publish such information using a GPL license, making it available to anyone. What do you think on the idea of “Security by Obscurity” ?

Security through obscurity has made and continues to make tons of damage so it is not important what I think, but what is the reality and what has been demonstrated in all these years.
In my experience security through obscurity has always made bad things, as already explained about the risks in games for example.
You should have watched my face when a few years ago I found the good old gshboom bug in the Gamespy SDK, I found a great crash bug versus tons of diffused games and found also that Gamespy encoded the game packets… really incredible.

What type of reaction are you getting from vendors at the computer game industry ?

Small vendors/developers are usually happy about my research, while the most well-known developers are usually the opposite. Naturally, that depends.
Anyway this is probably normal. Although games are software (NOT 2nd-grade software like many people think!) game security is still less known or usually confused with cheating.
A developer which is writing an ftp server already knows that he must avoid some security bugs while in games the first requirements are graphics, game-play, performance and game-play bugs… then if there is enough time, then security related bugs are considered.

Have you ever used your PoC on real players on computer game to take control on their machine? (come on, you can tell us ;-) )

Seems strange but I have never used my stuff in an evil way.
In some rare cases if the vendor doesn’t reply to my emails and I have some doubts about a bug I may try to see if one or two empty servers online are vulnerable.
I bet that if I had evil intentions my advisories and happiness would double!
Anyway, I think that it is a good thing that people exploit bugs when there are existing patchs for the vulnerability. That’s why I don’t blame script kiddies since they make the users aware about the existence of a problem which is better to remove before someone with more skill does a real damage.

On your web site you declare that you do not like colorful hats, so what guides you in the way you react to vulnerabilities ?

I find bugs because I like that someone with my full-disclosure philosophy finds them before others. I do not care if someone uses them for damage or to test his server since I want to be neutral.
What I really like is what kind of influence my stuff has indirectly. Maybe someone will start to find interest in security after having read my advisories, or perhaps someone will like my philosophy or maybe other people will now be more aware of the existence of a less known software which I have tested and so on.

Was there a time that you thought that it was a bad idea to release an advisory to the public after you already released it ? If so, what was it and why ?

Sure, the cause is, as always, my personal insecurity.
In fact sometimes I’m not satisfied by the description of the vulnerability I have written in the advisory or I feel there is something incomplete.
The best example is one of my oldest advisories (Pegasus mail) where I also released a patcher which fixed the bug but didn’t allow to send mails… blah.
Now when I release an unofficial fix I test it many times.
A few months ago I decided to release some advisories only on my website when I’m in doubts. Thats also true if the vulnerability is not so dangerous or the software is still a beta or really poor diffused.

Would you like to be paid for your research? What if it meant that you cannot release the information to the public, only to the company who paid you for it, so that they can release it under their name?

That’s horrible! I prefer my name and my freedom, money can wait.
One of the biggest pleasures is just releasing your own stuff with your name on top of the advisory and be credited for the vulnerability.

If tomorrow a game vendor will come to you and say “Luigi, I’m willing to give you any amount of money, just find all of the possible vulnerabilities that my game has” will you take such offer?

This has already happened and I have refused.

What is the game that you willing to tell people “don’t even come close to it !” regarding the a mount of vulnerabilities and or vendor response ?

Eh eh eh you already know the answer for this question!
Fortunately all the bad things (bugs and hidden code) I have found in the Gamespy software are all documented so there is nothing more I need to say… it’s enough to watch my Advisories and Research page and then check the existence of the Gamespy logo behind the packages of the games in the stores.

On your web site you stated that you do not contact vendors that you tried before and did not responded or fixed the vulnerability you found in the past. Are there many vendors that act this way ? Are there any ‘saints’ vendors that surprised you with good response?

I want to start and talk about the vendors which surprised me with their quick response and the first example is Punkbuster, unfortunately a mail problem (now solved!) didn’t allow me to receive their mails and the absence of explanations and credits (the independent researchers like credits and in this case they were useful too!) in the changelog of the new version created a misunderstanding.
Anyway usually the open source community is faster to reply to my security reports but I had also many good surprises from some game developers which were very happy of my reports.
In the “bad guys” group I’m forced to place Gamespy (not only for the cease and desist but just for their attitude) and all the others that have never replied to my mails and fortunately I don’t remember in this moment.

Are you worried about the DMCA and similar rules being used against you to drag you in court by a large corporate?

Not anymore. The experience with Gamespy (which pulled back the cease and desist letter, so no court time or money was spent) was very useful about this matter.
Also the recent news regarding Guillermito, that now must pay for something in which only the vendor should be punished.

Share

Interview: Ilfak Guilfanov

seeking to put some of the confusion about the recent windows metafile vulnerability to rest, i interviewed one of the most reliable sources of information on the bug: ilfak guilfanov. in addition to discussing the temporary patch he authored, ilfak offers valuable guidance and accurate information on a more general level for those dealing with this vulnerability.

tell us a little about yourself so that the audience knows who you are.

i’m the author of the ida pro tool, which is used by security specialists to analyze software binaries. ida pro is the biggest program i wrote, but there are also other programs (photorescue, for example).

now let’s discuss some of the details of the windows metafile vulnerability. there has been a lot of conflicting information about the details of the flaw. could you just describe the vulnerability for us so that people understand what the issue is?

yes, there is some confusion about the vulnerability. to speak simply, it is possible to get infected just by browsing the internet.

a specially-crafted wmf file can take full control of your computer. in fact, a wmf file is not an ordinary graphic file. it looks more like a program rather than a data file, because it consists of a sequence of commands for windows.

most are commands like ‘draw a blue line’, ‘fill a rectangle with red’, and so on.

there is one very powerful command code in wmf files. this command code means ‘if something wrong happens, do the following: …’. so the creator of the wmf file can make your computer do anything he/she wants by using this command code and deliberately creating an error condition afterward.

so this is a design issue?

yes, it is a design issue.

when you heard of this vulnerability, you created a temporary patch to close the hole until microsoft updates its software. could you tell us more about what the patch does?

the patch just removes this powerful command. it does not do anything else. the fix modifies the memory image of the system on the fly. it does not alter any files on the disk.

it modifies [the image of] the system dll ‘gdi32.dll’ because the vulnerable code is there.

some people are concerned about installing a temporary fix that doesn’t come from microsoft, because of potential problems with that. is there an uninstaller available if people run into problems?

yes, sure. the fix comes with a full installer/uninstaller.

do you provide the source code of the fix so that people can verify that it works effectively?

yes, the fix comes with the source code.

when you wrote this, did you expect this patch to become so popular?

oh no, not at all. it was a big surprise for me.

should users who install your patch also apply microsoft’s fix when it is available?

yes, absolutely.

should they uninstall your fix before they do that?

my fix can be uninstalled before or after applying the official patch.

is there anything that you think should be done to make vulnerabilities like this less dangerous in the future?

good design and good coding practices, but that is easier said than done.

what options are there for users if, for some reason, they are not able to install your patch?

first, there is the option of unregistering shimgvw.dll
second, hardware-based dep [data execution prevention] seems to protect systems.

[for the most effective protection, dep should be enabled for all programs as outlined below. -- matt]

shouldn’t users have dep on already, if possible, as good practice?

yes, it is a good practice and should be enabled if possible.

thanks again for taking the time to discuss this. we appreciate it. it’s obvious from its popularity that the community appreciates your efforts in developing this patch.

i’d like to thank ilfak guilfanov, of course, for allowing myself and securiteam this interview. the popularity of his patch is proof of the quality of his work. thanks are also in order for his contribution of this valuable tool to the community. i’d also like to thank securiteam’s Sun Shine, who decided to do the interview and helped get the ball rolling on it for me.

more information on the topics covered in ilfak’s interview:

  • microsoft’s advisory, along with official workaround (unregistering shimgvw.dll): http://www.microsoft.com/technet/security/advisory/912840.mspx
  • ilfak’s temporary wmf hotfix homepage is back at www.hexblog.com. you will have to download from one of the better-connected mirrors, as poor ilfak has already had to move hosts once. i guess he’s a victim of his own popularity. :-(
  • datarescue is the home of the ida pro product that ilfak has helped develop. their site also contains a link to the wmf vulnerability information.
  • information on enabling hardware-enforced dep is available from microsoft (for windows xp sp2, though the process for windows server 2003 sp1 will be similar). dep should be configured to protect all programs for maximum protection. hardware-enforced dep does not protect applications (like windows picture & fax viewer) by default.
Share