Cryptome: NSA has access to Windows Mobile smartphones

First time in history has released information about the characteristics of NSA’s network surveillance.

According to the newest IP address listing

IP ranges published by Cryptome are used by NSA, by NSA’s private sector contractors, and by NSA-friendly non-US national government agencies to access both stand-alone systems and networks running Microsoft products.

The post continues:

This includes wireless wiretapping of “smart phones” running Microsoft Mobile. Microsoft remote administrative privileges allow “backdooring” into Microsoft operating systems via IP/TCP ports 1024 through 1030.

The site has published NSA-affiliated IP addresses since July ’07. It’s not known if this mysterious source ‘A’ has connections to National Security Agency.


hackers @ microsoft, MS’s place for white-hat (and blue-hat) hackers

New blog has been opened at MSDN Network Blogs section.
The opening post has officially – at last- informed the following fact:

We employ “white hat hackers” who spend their time pentesting and code reviewing applications and software looking for weaknesses and vulnerabilities so that others don’t once we’ve released that code into the wild.

It’s interesting to see if they will share information about BlueHat activities via this blog too.

But the link itself here:


Windows screensaver lock and lecturing

i was giving a lecture at nps yesterday, and while i was unlocking my laptop (xp), suddently, before unlocked, a file open window pops up. i could browse, and more importantly, open files. the first choice of the system was .hlp.

can someone say pwnage? anyone up to doing some monkey fuzzing on that interface?

gadi evron,


MS Patch Tuesday and Skype outage – why things didn’t match

In the situation when Skype’s explanation written on 20th Aug, Microsoft’s response written on Monday too and Skype’s clarification written today, 21th Aug exist it’s time to share word with a short summary:

Why the security community reacted like it reacted?

1. Microsoft has released monthly security updates since January 2004
2. There was three critical MS patches in July, and four critical in June
3. Only four August critical patches included a mandatory reboot
4. Critical patch (MS07-044) for code execution issue in Excel needs no reboot
5. Critical patch (MS07-050) for VML needs reboot only if files in use
6. released public Skype Network Remote DoS Exploit on 17th Aug
7. There was new Skype for Windows version out on 17th Aug
8. A lot of home users go to Microsoft Update on Tuesday, not on Thursday…

Do we need more reasons? No. Boys and girls at Skype, please share information that you are aware of public PoC, what the new bugfix release fixes etc.

But the good news: Villu Arak of Skype states that their “bug has been squashed.” And

The parameters of the P2P network have been tuned to be smarter…

Fine, because there are Black Tuesday patches in the future too! ;-)


Windows’s VML implementation – is it so difficult to patch?

When looking into this week’s Redmond patches there was a critical patch for Vector Markup Language component Vgx.dll – again.
The newest flaw exists in handling of compressed content and it’s heap overflow type vulnerability. The issue was discovered by Mr. Derek Soeder of eEye Digital Security.

Most of us remember the VML 0-day case in September ’06. ZERT released a 3rd party fix and Microsoft pushed out their official update before the monthly September bulletins. Details about the vulnerability and the case can be found from my Windows VML Vulnerability FAQ (CVE-2006-4868] document.

The reporting timelines of three newest VML issues below:

#1: fill method buffer overflow – Vgx.dll
18-Sep-06 Sunbelt Software contacted the vendor
Person who discovered this 0-day flaw is not known
25-Sep-06 MS06-055 is out

#2: Recolorinfo integer overflow – Vgx.dll
03-Oct-06 Vendor was contacted by iDefense
09-Jan-07 MS07-004 is out

#3: Compressed content heap overflow – Vgx.dll
24-Oct-06 Vendor was contacted by eEye
14-Aug-07 MS07-050 is out

Related to issue #2 Microsoft stated the following:

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?

The fact is that Microsoft was aware of the latest vulnerability, i.e. issue #3 almost ten months.


Mozilla’s JavaScript fuzzer – Opera’s best friend

Window Snyder, the head of security strategy at Mozilla Corporation wrote this week about the Opera’s way to use Mozilla’s fuzzer for JavaScript. Mrs. Snyder is pointing to the post of Claudio Santambrogio from Opera Software:

While running the tool, we found four crashers – one of which might have some security implications.

When we are reading news like this from Microsoft and Apple?


ZZZ of the month

This has to be the ZZZest (sleep for those that didn’t get the idea) post of the month, a guy called Hamachiya found a vulnerability that crashes IE 7 and IE6, no big news here – aren’t there a few or even few dozen such vulnerabilities already?, still for no obvious reason but the fact that he wrote it in Japanese it got Slashdot headlines.

Am I missing something or is this part of the “no-news week, therefore we take anything that looks remotely interesting”?


Phishing just got a little less tedious

I know I shouldn’t be merely referencing others’ blog posts, but this is just too good. Kuza55 has written up how a phisher can very easily get around the phishing-filter implemented in IE7, Firefox and Opera.


CPU vulnerabilities, the future is here?

On funsec, Richard M. Smith send this in after spotting it on /.

Critical update for Intel Core CPUs is out
Have Intel processor? Download the fix right now
By Theo Valich: Tuesday 26 June 2007, 07:26

A COUPLE OF WEEKS ago, we heard that Dell was dealing with a certain situation considering Intel dual-core MCW and quad-core KC marchitecture, and that the company was releasing urgent BIOS and microcode versions for its line up.

We learned that the affected CPUs are the Core 2 Duo E4000/E6000, Core 2 Quad Q6600, Core 2 Xtreme QX6800, QX6700 and QX6800.

In the mobile world, people with the Core 2 Duo T5000 and T7000 need to visit Microsoft’s site, while the server guys will want to use motherboard BIOSes if they do not rely on Microsoft Windows operating systems.

A microcode reliability update is available that improves the reliability of systems that use Intel processors


CFP: ISOI III (a DA workshop)

cfp: isoi iii (a da workshop)


cfp information and current speakers below.

isoi 3 (internet security operations and intelligence) will be held in
washington dc this august the 27th, 28th.

this time around the folks at us-cert (department of homeland security -
dhs) are hosting. sunbelt software is running the after-party dinner.

we only have a partial agenda at this time (see below), but to remind you of what you will see, here are the previous ones:

if you haven’t rsvp’d yet, please do so soon. although we have 240 seats, we are running out of space.

a web page for isoi 3 can be found at:

27th, 28th august, 2007
washington dc -
aed conference center:

registration via is mandatory, no cost attached to attending. check if you apply for a seat in our web page.


this is the official cfp for isoi 3. main subjects include: fastflux, fraud, ddos, botnets. other subjects relating to internet security operations are also welcome.

some of our current speakers as you can see below lecture on anything from estonia’s “war” to current web 2.0 threats in-the-wild.

please email as soon as possible to submit a proposal. i will gather them and give them to our committee (jeff moss) for review.

current speakers (before committee decision)

roger thompson (exp labs
- google adwords .. .the dangers of dealing with the russian mafia

barry raveendran greene (cisco)
- what you should be asking me as a routing vendor

john lacour (mark monitor)
- vulnerabilities used to hack sites for phishing
- using xss to track phishers

dan hubbard (websense)
- mpack and honeyjax (web 2.0 honeypots)

april lorenzen
- fastflux: operational update

william salusky (aol)
- the spammer evolves – migration to webmail

hillar aarelaid (estonian cert)
- incident response during the recent attack

Sun Shine (beyond security)
- strategic lessons from the estonian “first internet war”

jose nazarijo (arbor)
- botnet statistics from the estonian attack

andrew fried (treasury department)
- phishing and the irs – new methods

danny mcpherson (arbor)
- tba


Microsoft really trust to IIS 7.0

Redmond giant has switched to IIS 7.0 on their Web site. Netcraft report of

IP address: OS: Windows Server 2003

Web Server: Last changed:
IIS/7.0 13-Jun-2007

They don’t care about reports like this:

Web Server Software and Malware


Cracking to Windows with System Recovery – and no warning from Redmond

There was an interesting press meeting here in Finland today. Mr. Kimmo Rousku presented the Command Prompt feature of Vista’s System Recovery – i.e. how to crack to Vista/XP/2003 computer using only Vista installation media and System Recovery option.

This is a short version of summary described at Web page of Mr. Rousku:

This problematic security feature exists because Windows Vista Repair Computer / System Recovery program enables the use of command prompt without any user authentication with highest possible – system-level – priviledges.

Cracking Windows operating systems has been possible by using cracking software found from various web pages. This is the first time when cracking Windows operating systems is really easy and needs no deeper technical knowledge.

The report shows in a very detailed way how it’s possible to use Takeown and Icacls command to take ownership of ACL-protected files or folders too.
Mr. Kimmo Bergius, the Chief Security Advisor of Microsoft Finland confirmed today in the press meeting mentioned that there is not an update coming. Additionally, Mr. Bergius states that there is a documentation advising the use of HD encryption and BIOS password, BUT this documentation doesn’t mention this security problem in any way.

Yes, this is not the first time when this problem was disclosed. But where is the missing KB document, instructions related to bootup order and the benefit of encryption when switching to Vista.

The most important part comes here.

* How to protect:

1. Change BIOS boot order to disable booting from other media than hard disk
2. Then, set BIOS password to prevent bad guys to change this setting
3. Encrypt files with EFS
4. When using laptops, you have no reasons not to use HD encryption!

Mr. Rousku is well-known non-fiction writer. He works as CIO of Finnish National Research and Development Centre for Welfare and Health (aka Stakes).

Update: Pictures from the press meeting:

Mr. Rousku
Mr. Bergius
A screenshot of System Recovery / Command Prompt menu


FuzzGuru’s approach to fuzzing

Recently I have seen a lecture by John of Microsoft about their FuzzGuru framework, apparently their approach to fuzzing is through tight integration with code coverage tools, in similar fashion a recently published paper by Microsoft Research, Automated Whitebox Fuzz Testing, shows that this is in fact Microsoft’s approach to fuzzing.
Though this approach seems to provide good results to Microsoft, I am not sure it is a good approach to the majority of people that develop software, as in the security testing phase there is usually little chance that the source code will be available for code coverage testing.

Some would think that binary form code coverage might work as well, I disagree as generic code coverage will make the fuzzer confused as it would not concentrate on the parser part of the program which our fuzzer needs to test.

We’ve been toying with the idea of implementing both source code coverage and binary code coverage in beSTORM but I’m not sure I’m convinced yet that the code coverage approach is beneficial.


Targeted or not targeted?

many of us have been having discussions and arguments over if the recent bbb phishing attacks are targeted or not.

thinking on this, i believe the better equivalent which may solve our terminology disagreements on if these bbb phishing emails were targeted or not would be “targeted spam” as a tried concept. we can assume, although in some cases incorrectly, that spam is bulk.

usually, spam goes to “lists” of addresses, harvested. sometimes it is targeted to a certain audience. but there are other types of lists, not just of addresses and interests.

it is possible to buy lists of addresses of people who attended rsa and visited booths, for example. or any other number of trade-shows. it is possible to harvest linkedin, etc.

my take is that this attack is targeted in the sense that it goes to certain individual types only, but is quite mundane and bulk in the type.

we need terms for individual/close-to attacks and attacks by targeting an audience, still in bulk.

gadi evron,


.ANI fuzzing module released

after being challenged by Sunshine, we decided to make the bestorm .ani file fuzzing module description available publicly.

this module is interesting because microsoft’s fuzzing team, using a template-based fuzzing module, missed during their testing a vulnerability that turned out to be a zero-day. we built it by simply feeding a few sample files into bestorm and using its autolearn feature to produce a file fuzzing module. the module we produced does catch the 0-day but we welcome any feedback as to how good or bad this module actually is.

the fuzzing module description is available here.


Hacker OpSec and the State Department

Dave Aitel sent this one in, and it’s a good one: