This summer may have caused a few burden’s on linux administrators. By all the patching necessary to keep their systems out of the hands of those who would choose to exploit it, unless your using something like Ksplice, you’ve more than likely rebooted many times already. Well, here is one more reason to wake this early this morning…

New exploits for the “Linux NULL pointer dereference due to incorrect proto_ops initializations” vulnerability have been released, here and here. I just tried the second one out myself on a (currently) fully updated Ubuntu Jaunty workstation, with (_default_) successful results.

linux@ubuntu:~/2009-proto_ops$ sh run.sh
run.c: In function ‘main’:
run.c:13: warning: missing sentinel in function call
padlina z lublina!
# id
uid=0(root) gid=0(root) groups=4(adm),20(dialout),24(cdrom),46(plugdev)
# exit
linux@ubuntu:~/2009-proto_ops$

A reliable local root exploit for that affects all linux kernels 2.x. Feels like 2003 all over again :X

The guys over at Offensive Security have released a 49 Million WPA optimised password dictionary file, the torrents are up at this link here.

If you download it though, please keep the torrents seeding for a while to help others out.

Have fun cracking!

According to ITWorldCanada, C-level executives are pushing for greater access to social networking sites and facilities, while even IT managers and security specialists are unprepared to deal with the full range of risks from this type of activity.

In order to get some traction with senior management on this issue, you might want to remind them that, when they take off with funds they’ve obtained via fraud, it’s best not to post boasts on Facebook.

According to this thread, DJBDNS’s security has officially been broken. A patch is available and the reward for the bug by Mr. Bernstein will be awarded to Matthew Dempsky. Quoting from the thread:

“If the administrator of example.com publishes the example.com DNS data through tinydns and axfrdns, and includes data for sub.example.com transferred from an untrusted third party, then that third party can control cache entries for example.com, not just sub.example.com. This is the result of a bug in djbdns pointed out by Matthew Dempsky. (In short, axfrdns compresses some outgoing DNS packets incorrectly.)

Even though this bug affects very few users, it is a violation of the expected security policy in a reasonable situation, so it is a security hole in djbdns. Third-party DNS service is discouraged in the djbdns documentation but is nevertheless supported. Dempsky is hereby awarded $1000.

The next release of djbdns will be backed by a new security guarantee. In the meantime, if any users are in the situation described above, those users are advised to apply Dempsky’s patch and requested to accept my apologies. The patch is also recommended for other users; it corrects the bug without any side effects. A copy of the patch appears below.

—D. J. Bernstein

Research Professor, Computer Science, University of Illinois at Chicago”

I still believe Georgi Guninski’s bug was enough for a reward, but oh well. I wonder what the “new security guarentee” will be, anyway.

Yeah, it is true. I guess some programming errors are more serious than others, so lets give these guys a break: I also suppose the dark clouds gathered for all the recent DDoS characters, too.

Kaspersky’s USA website was hacked by SQL injection. Maybe they should hire some virus writers to secure their website, or better yet, a good penetration testing team.

Grab more details about the incident here.

Internet Explorer 7 XML Buffer Overflow ‘All-In-One’ Exploit

krafty

MS SQL Server Heap Overflow Exploit

Guido Landi

Barracuda Spam Firewall SQL Injection

Marian Ventuneac

CUPS pstopdf Filter Local Exploit

Jon Oberheide

Coolplayer Local Buffer Overflow Exploit

r0ut3r

Yes snooping on someone else’s GoogleTalk is no big deal if you know their password, but what is interesting that unlike other chat clients like Skype, MSN and others GoogleTalk will allow you to do so simultaneously.

You can connect to the GoogleTalk server while another user using the same username and password is also connected to the GoogleTalk server.

This neat feature, probably stems from the fact that Google supports web based chat in a constantly refreshing web page (unlike MSN which launches a separate window) allows you to see incoming responses and messages being sent to your target without needing to do anything.

BTW Google, don’t fix this, I find it useful for my BlackBerry and PC chat sharing - basically never needing to logon/logoff on my PC/BlackBerry they are both constantly connected to the Google Talk servers.

UPDATE This post is not related to the recently released NSA patent on Snoop detection

I’ve been noticing that most of the spam I get (and nearly all that gets through the filters) arrives during the week, not the weekends. Actually, looking at my spam box, it looks like I receive around twice as much on week days than weekend days.

My point being, and I sure there are some good answers: Is spamming a full time job for a lot of spammers, or even a 40 hour a week job? I’d have to say for at least the dedicated ones, it probably is. Or, do they just figure more people check their mail on the weekdays?

Either way, spam sucks.

Metasploit Decloak in back online. Decloak (v2) now identifies the real IP access of a user using a slick combo of “client-side technologies and custom services”. v2 also works regardless of the user’s proxy settings. The only public technology that it cannot get through is a PROPERLY CONFIGURED Tor+Torbutton+Privoxy setup, HDM mentions.

You can read more about it and if you haven’t already, give it a whirl.

Or, social networking, if you prefer.

Let’s face it, the net is social.  The money that went into creating computer networks, and the Internet itself, may have been intended for specific purposes, but as soon it it was there people, being people, were being social.

As soon as the Internet was out of the test-bed (and probably before that), and even before it was known as the Internet, people were using email.  A lot.  For social things.  What are the longest running Usenet “news”groups, and mailing lists of any types?  Lists of jokes and discussions of science fiction.  Social stuff.  (Yeah, the sf geeks are pretty antisocial, by “normal” standards, but for them this stuff is the ultimate in sociability.)

So, what’s new?  Oh, “social” networks have the users generate content?  What do you think mailing lists are?  OK, blogs make it a bit easier to search archives.  But archives of mailing lists have been around for a while, too.  (And this “easier” stuff is highly subjective.  Some blogs can be pretty difficult to plow through in order to find content of interest.)

And what about the Internet itself?  It’s the last word in user created content.  The protocols and programs that run the net were primarily created by individual users, seeing something they wanted to do, and writing something that would do it.  As Dave Clark famously put it, “We believe in: rough consensus and running code.”
Works pretty good, doesn’t it?

This was just too funny not to share. Read carefully and draw your own conclusions, haha.

from    MIKE ROBINSON
reply-to    mike_robinson79@yahoo.com
to
date    Wed, Dec 17, 2008 at 10:23 AM
subject    WINING NOTIFICATION

hide details 10:23 AM (3 hours ago)

Reply

1 MICROSOFT WAY
Redmond, WA 98052.
BL4 4PZ,lONDON.
Ref: BTD/968/08
Batch: 409978E
WINNING NOTIFICATION

This is to inform you that your email has won a consolation prize
of the Microsoft Corporation 2008 EMAIL DRAW.Your email has won
(£500,000.00)&(Great British Pounds)of the microsoft onlinelottery
promotion Your email address as indicated was drawn and attached to
ticket number 008795727498 with serial numbers BTD/9080648302/08 and
drew the lucky numbers 14-21-25-39-40-47(20)To file for your claims,you
are to contact your designated claims agent
Mr.mike robinson of this
email: mike_robinson79@yahoo.com

PAYMENT RELEASE ORDER FORM
Full Names——————-
Gender———————–
Age————————–
Contact Address————–
Occupation——————-
Country———————-
Telephone numbers————
Batch————————
Reference——————–
Microsoft Fiduciary Agent
MR Harry peterson

A not-uncommon phone fraud story from the CBC.  However, I keep telling people:

a) We don’t know enough about phone systems, and unlike most of the breaches we deal with phone fraud costs you real money, right now.

b) When you get hit and take the story to the telcos, the telcos, very profoundly, don’t care.

This junk keeps slipping through gmail’s spam filters and the best I can say about it is ‘useless’.

Anybody else been getting this kind of crap lately?

from    Christoph_Schell@computacenter.com
to    [0][x][j][b][r][o][w][n][4][1]@gmail.com
date    Mon, Dec 15, 2008 at 4:02 PM
subject    Christoph Schell/Kerpen/GECITS-EU is out of the office.
mailed-by    computacenter.com

I will be out of the office starting  11.12.2008 and will not return until
18.12.2008.

I will respond to your message when I return or contact Michael Menen
(Michael.Menen@computacenter.com).

**********************************************************************
COMPUTACENTER PLC is registered in England and Wales with the registered number 03110569.  Its registered office is at Hatfield Business Park, Hatfield Avenue, Hatfield, Hertfordshire AL10 9TW
COMPUTACENTER (UK) Limited is registered in England and Wales with the registered number 01584718.  Its registered office is at Hatfield Business Park, Hatfield Avenue, Hatfield, Hertfordshire AL10 9TW

The contents of this email are intended for the named addressee only.
It contains information which may be confidential and which may also be privileged.
Unless you are the named addressee (or authorised to receive mail for the addressee) you may not copy or use it, or disclose it to anyone else.

If you receive it in error please notify us immediately and then destroy it.

Computacenter information is available from:
http://www.computacenter.com
**********************************************************************

I usually get 5-10 of these about once a month, all in the same hour or two.The most ‘useless’ part about it is that it doesn’t affect me, at all, in any way, neither personally or work related.

The flaw discovered by Dan Kaminsky put a forthright scare into the entire internet community — and it should have. This attack, which is trivial in nature, could make the difference between sending all your private data to the secure server across the ocean, or to a happy hacker filling his/her eye balls with goodies.

But now, since everyone was woken up, there are two mainstream, proposed solutions in hopes of ending the insecurity in DNS: DNSSEC and DNSCurve. Which one should you bet your network’s integrity on? Better hope your patched or you might get bailiwicked. Let the enlightenment begin.

DNSSEC, or Domain Name System Security Extensions, is a suite of IETF specifications for securing certain kinds of information in DNS. Recently, lots of companies have been gearing up to implement DNSSEC, as a means of securing DNS on the Internet. One man, that opposes DNSSEC, has written his own code to provide a nicer, more secure solution, and far better than DNSSEC. He calls it DNSCurve.

DNSCurve uses high-speed, high-security elliptic cryptography to improve and secure DNS. Daniel J. Bernstein, the creator of DNSCurve and many other high security servers such as qmail and djbdns servers, doesn’t want DNSSEC implemented, but DNSCurve instead. And it is no question which one is the better choice after looking at the comparisons Bernstein makes between the two now rivals.

Some huge advantages with DNSCurve vs DNSSEC are encrypting DNS requests and responses, not publishing lists of DNS records, much stronger cryptography for detecting forgeries, (some) protection against denial of service attacks, and other improvements.

There is one quick, unrelated issue that I disagree with Mr. Bernstein about. After offering $500 “to the first person to publish a verifiable security hole in the latest version of qmail”, he states: “My offer still stands. Nobody has found any security holes in qmail”. But in 2005, Georgi Guninski found one and has confirmed exploitability on 64 bit platforms with a lot of memory.

Bernstein denied his claim and then stated “In May 2005, Georgi Guninski claimed that some potential 64-bit portability problems allowed a “remote exploit in qmail-smtpd.'’ This claim is denied. Nobody gives gigabytes of memory to each qmail-smtpd process, so there is no problem with qmail’s assumption that allocated array lengths fit comfortably into 32 bits.”. Now, to me, and I am sure to many other people as well, an exploitable bug in an exploitable bug. Conditions have to sometimes be met and “can be carried too far”, one might put it, but in this case, it is clear that Guninski found at least one exploitable bug in qmail. Game over. No disrespect to Mr. Bernstein or his code; he does have both great code and concepts. On with my main literature.

So, if I were a betting man (and I am), I would gamble on Bernstein’s all around great approach to making DNS safer, more resilient against attacks, and definatly more secure. Hopefully, people will realize money can’t solve all our problems, but the guys that know what they are doing, can, and might just make some things happen pretty soon.

Yeah, brute force attacks on SSH is old news. But now, there is something new and interesting about them! Attackers (How did they get so smart!?) are now using ‘advanced’ techniques to make these attacks even more effective:

“Instead of using the same compromised machine to try multiple password combination, the newer attack relies on coordination among multiple botnet clients. Also, instead of throwing this resource at random Secure Shell (SSH) remote admin servers, the assault is targeted at specific servers.”

OH NO! We all must go and protect our servers now!

Or do any or all of these good practices that decent administrators have known about for years…

1) USE STRONG PASSWORDS! (You can bet attackers will have ‘johndoe’ in their wordlist, but not ‘00J0hNND0eEe00$’)
2) Firewall all logins via SSH except for authorized IP addresses
3) Run SSH Server on another port besides 22

Some helpful tips for the helpless. Ho, ho, ho unwise system admins.