The flaw discovered by Dan Kaminsky put a forthright scare into the entire internet community — and it should have. This attack, which is trivial in nature, could make the difference between sending all your private data to the secure server across the ocean, or to a happy hacker filling his/her eye balls with goodies.

But now, since everyone was woken up, there are two mainstream, proposed solutions in hopes of ending the insecurity in DNS: DNSSEC and DNSCurve. Which one should you bet your network’s integrity on? Better hope your patched or you might get bailiwicked. Let the enlightenment begin.

DNSSEC, or Domain Name System Security Extensions, is a suite of IETF specifications for securing certain kinds of information in DNS. Recently, lots of companies have been gearing up to implement DNSSEC, as a means of securing DNS on the Internet. One man, that opposes DNSSEC, has written his own code to provide a nicer, more secure solution, and far better than DNSSEC. He calls it DNSCurve.

DNSCurve uses high-speed, high-security elliptic cryptography to improve and secure DNS. Daniel J. Bernstein, the creator of DNSCurve and many other high security servers such as qmail and djbdns servers, doesn’t want DNSSEC implemented, but DNSCurve instead. And it is no question which one is the better choice after looking at the comparisons Bernstein makes between the two now rivals.

Some huge advantages with DNSCurve vs DNSSEC are encrypting DNS requests and responses, not publishing lists of DNS records, much stronger cryptography for detecting forgeries, (some) protection against denial of service attacks, and other improvements.

There is one quick, unrelated issue that I disagree with Mr. Bernstein about. After offering $500 “to the first person to publish a verifiable security hole in the latest version of qmail”, he states: “My offer still stands. Nobody has found any security holes in qmail”. But in 2005, Georgi Guninski found one and has confirmed exploitability on 64 bit platforms with a lot of memory.

Bernstein denied his claim and then stated “In May 2005, Georgi Guninski claimed that some potential 64-bit portability problems allowed a “remote exploit in qmail-smtpd.” This claim is denied. Nobody gives gigabytes of memory to each qmail-smtpd process, so there is no problem with qmail’s assumption that allocated array lengths fit comfortably into 32 bits.”. Now, to me, and I am sure to many other people as well, an exploitable bug in an exploitable bug. Conditions have to sometimes be met and “can be carried too far”, one might put it, but in this case, it is clear that Guninski found at least one exploitable bug in qmail. Game over. No disrespect to Mr. Bernstein or his code; he does have both great code and concepts. On with my main literature.

So, if I were a betting man (and I am), I would gamble on Bernstein’s all around great approach to making DNS safer, more resilient against attacks, and definatly more secure. Hopefully, people will realize money can’t solve all our problems, but the guys that know what they are doing, can, and might just make some things happen pretty soon.


SSH Gets Attacked


Yeah, brute force attacks on SSH is old news. But now, there is something new and interesting about them! Attackers (How did they get so smart!?) are now using ‘advanced’ techniques to make these attacks even more effective:

“Instead of using the same compromised machine to try multiple password combination, the newer attack relies on coordination among multiple botnet clients. Also, instead of throwing this resource at random Secure Shell (SSH) remote admin servers, the assault is targeted at specific servers.”

OH NO! We all must go and protect our servers now!

Or do any or all of these good practices that decent administrators have known about for years…

1) USE STRONG PASSWORDS! (You can bet attackers will have ‘johndoe’ in their wordlist, but not ’00J0hNND0eEe00$’)
2) Firewall all logins via SSH except for authorized IP addresses
3) Run SSH Server on another port besides 22

Some helpful tips for the helpless. Ho, ho, ho unwise system admins.




Well your favorite website’s, favorite way to see if your human or not has a problem — their ‘protection’ has been ‘broken’. Who knew that asking a user to read and type the contents of a distorted image of text would be so easy for a computer/code to do as well? CAPTCHA’s have never even looked secure to anyone with a open security mind, and those swimming in the unconscious thoughts that some day this ‘protection’ would see its core cracked… well today is your lucky day.

But never fear! There is hope (really..?)! The Carnegie-Mellon University team behind CAPTCHA’s big brother, reCAPTCHA, is for some reason continuing research towards the “effort to mix basic  security and useful work”. While the reCAPTCHA service seems like a step in the right direction, I have my doubts. Actually, I think it won’t be too long until the next article at YOURFAVORITETECHNEWSSITE is about this new ‘improvement’ being ‘broken’. Oh internet, have mercy on the little people, and send your spam bots to wreck havoc on another interNET.


Igniting Linux Desktop Security

Active Connections

Long ago, my all-time favorite desktop firewall was none other than sygate pro (symantec junkies sought-and-destroyed a while back). I loved all of its seemingly superior and cool features that really just made me feel great about using it on some servers and workstations. But like most other desktop firewalls, sygate is/was windows only. But this article isn’t about just any desktop firewall; it is about Firestarter, the Linux GUI firewall solution.

Firestarter is a nice, sleek, Desktop-safe, open source and server or workstation setting network security solution. Say that 128 times fast! Haha. If you are an administrator or just a savvy Linux Desktop user who wants to feel a little more secure on your network, you’ll probably love Firestarter.

Some of the great features of Firestarter include a graphical user interface to configuring firewall rules and settings, a nice wizard to walk you through it, real-time event monitor to check on intrusion attempts or the like, in and outbound network access policy control, port forwarding, the ability to whitelist and blacklist traffic, viewing network connections, advanced kernel tuning to provide somewhat protection against [flooding, broadcasting, spoofing, typical DoS attacks], and much more!

Firestarter sits atop of iptables and it works quite nicely to control traffic in and out of your workstation or server. I’ll even give you a couple of quick and smile examples. Say you got XYZ Linux running ZYX Desktop system and you want to be able to transfer files (or data) via XZY, but only from a certain IP address. Simply add a rule in Firestarter and watch it work. What if you want to completely (for the boundries of this tool) block access from xx.xxx.xx.xxx? Add a rule to blacklist it on outboard traffic. Volia! Simple firewalling made super easy. I use Firestarter and I absolutely love it. So if you haven’t already tried Firestarter, I recommend you give it a shot! I can’t imagine you being disappointed.



Everything new is old again – convergence

Or, converged communications, if you prefer.

I mean, c’mon.  We’ve had VoIP for a while.  (Before that we had H.323.  Even before that we had Internet telephony, although it didn’t work all that terribly well.)

Of course, from our perspective in security, convergence is a great thing–for job security.  Just think, we can take all the problems we have in networking, and all the problems we have in telephony, and roll them up into one big insecurity.

(Surprise, surprise: bad guys are breaking into home and small office VoIP PBXs and using them to make telemarketing calls.)  (Although don’t get me wrong: I’ve nothing against Asterisk per se, and I’m sure it’s a great system–if well managed.)


Internet Explorer Pwned

Internet Explorer

Microsoft’s world has been shaken up recently by a new remote command execution exploit for its premier web browser, Internet Explorer.

Quoting a timeline from eEye’s research on this vulnerability makes it this story more interesting:

11/15/2008 In-The-Wild Exploitation Witnessed By 3rd Party
12/9/2008 Reliable Exploit Code Identified by eEye Research”

The problem is in the code processing XML in Internet Explorer. An attacker can exploit a buffer overflow to execute their own code on the client just by visiting a malicious web page.There are already full exploits for Windows XP and Windows Vista. Apprently, this has been exploited in the wild for some time now. Its too bad that the original bug discoverer didn’t sell his/her code, they probably would have gotten a small fortune (I am talking about totally legitimate agencies, of course).

Also, according to Muts’ Blog, this vulnerability still isn’t patched (Vista updated with latest patches — stated on the blog). Oh Microsoft, we know your good with your Patch Tuesdays and all that stuff, but couldn’t you break down and hand out some emergency patches soon? I mean, should ~50% of the world get owned just in time for Christmas!?

But rapid reader, I bring good news too! Firefox users shouldn’t have a thing to worry about =)


Everything new is old again – Intelligent Automation

Wait a minute, I thought automation was supposed to involve some measure of intelligence, kinda by definition?

Oh, but it’s a specialized form of automation.

First we have to go way, way back.  Back to the days of random security technologies, when you had all kinds of different security technologies.  And they all had to be managed.  Seperately.

And then, oh joy, someone (either Marcus Ranum or Steve Bellovin, take your pick) invented firewalls!  And we wouldn’t have to manage security anymore!  And there was rejoicing!
Until we figured out that we were going to have to manage the firewalls.

And then someone invented Intrusion Detection Systems!  And there was rejoicing!

Until we figured out that we were going to have to manage the IDS.

And then some marketing department invented IPS.  And by this time, becoming jaded, we were asking questions.  Like, what’s the difference between IDS and IPS.  (Oh, really?  An IPS prevents a packet getting through, rather than just detecting it?  Then what’s the difference between an IPS and a firewall?  Oh, really?  An IPS is more intelligent?  How so?  Well, depends on which marketing department you ask.  That’s what you get for using terms invented by marketing departments …)

But that “intelligent” business seems to have had a bit of magic in it.  We’ve always had network monitoring, of one sort or another.  For a long time we’ve had tools to help us sort through our logs (after all, even IDS is only a form of real-time log analysis).  And people have been trying to sell us all “management” systems, to help with the work of, well, managing all the security bits and pieces.  So why not get a log analysis package, bolt on a few other items (maybe virus scanning or something), and call the whole thing “intelligent”!

Hey, presto!  A new marketing term!


Not your typical firefox SSL error message

I almost never mistype domain names, so I’m glad firefox was able to catch my error when I did:

firefox warning

(click the image for a larger version)
If you haven’t noticed (I didn’t notice myself in the first 3-4 times; I kept clicking ok and reloading, I thought firefox was acting up) the url is adwords.gogole.com. The good news is that the site is owned by google, so I wouldn’t have been phished in any case. The bad news is that google should have either redirected me to the right site or give me an error message instead of showing me the site with the wrong certificate. I know why they are doing it – it’s easier to do a domain catch-all then a redirect, but it’s not good in terms of user experience.

Firefox’s behavior is interesting too. Note that the warning I got was accompanied with a popup dialog that forced me to press ‘ok’ to get to to a second warning on the page itself.

If you don’t remember the typical error message, here is what anybody surfing more than a day with firefox has seen:

typical firefox warning

(click the image for a larger version)

This typical firefox warning tries to let me know something is wrong. The problem is, I’m seeing it so much that I’m adding exceptions left-and-right. In this case of the ‘gogole’ typo, the problem is more sever (gogole.com is claiming to be google.com) so I guess firefox decided to add a dialog box to the error. I’m not sure what triggers it and how often it’s displayed, but for me this is the first time seeing it, so my guess is that firefox is trying to keep it for the rare occasion when you need the user to understand the warning has escalated.
I wonder if the next escalation will be a warning siren through the speakers with a small electric shock through the keyboard.


Websites Beware

Websites Beware

For years now, Zone-H.org has been, primarily, a website that mirrors website defacements. And also over the years, nearly every company, government, or otherwise popular/high-profile server has experienced being hacked. In case your not familiar with how it works, I will tell you about the process.

Basically, an attacker defaces the target website in some way and they submit it to Zone-H. Zone-H verifies the defacement and publishes a mirror. They accept any web accessible site, high-profile or not. Blogs, personal websites, mom and pop websites, even free websites haven’t been spared from attackers. But what has made this act so popular, and really into a popularity contest, is Zone-H’s rigorous mirror system, recording stats and names they use to deface, feeding the crave for attention or otherwise.

If you look where they classify and detail ‘special defacements‘, you can see a lot of the attackers’ bread and butter. LG’s Pakistan website, US/Chinese/Malaysian government websites, even on occasion NASA or military websites are hacked and defaced. Some attackers leave politically motivated messages, other just for fun, such as this one by ‘netb00m’:

“LGE pakistan was way to easy to get into.
Its almost like you guys beg to get hack.
Anyway, cant you guys make phones more like palm?
I mean you guy do make good stuff, but palm is alot nicer. =)”

As long as Zone-H mirrors these defacements, the attacks will never end. There is simply too much motivation, too many chances to look ‘cool’. However true that is, sometimes these guys get in trouble. I wish the best for them, but they could help themselves by growing up a little. It may have been ‘cool’ back in the day to the deface websites, but now, its just another risk to take to prove yourself to people who seem to carry themselves on their sleeves.


Opera’s Latest Hitman

Opera Logo

Opera the web browser is apparently now great at one thing: following the standards.

Yesterday, Opera 10 Alpha was released and flaunted its 100/100 score on the Acid3 test, passing with all the colors of the rainbow this time. But honestly, Opera, like several other ‘alternative’ browsers (and if your a hardcore fan/follower, excuse me), is just trying to catch up with the old dogs.

Firefox in particular has had many of Opera’s ‘new’ features and ‘improvements’ for quite a while. Security issues in Opera, often simple and totally trivial bugs, have been found and released. Not saying more than other browsers; both Firefox and Internet Explorer have them doubled to say the least, but I just never could bring myself to trust this unique web browser.

Auto-update has just been put in place, and I feel, as a security researcher, that it is an extremely valuable mitigation tool when new exploits spring up. Thank God the development team FINALLY put this sub-standard feature in place. Presto 2.2 has taken things to the next level with most of these improvements, more details of which you can find for windows, mac, and ‘linux/unix‘.

Has security been incorporated into Opera recently more than ever? Maybe. Has Opera been built with security from the ground up? Certainly not. Pay attention to your favorite XYZ exploit/advisory feed for inevitable updates.


Fooling biometric face recognition

CNet has a nice article about a Vietnamese company called BKIS that was able to login to the reporter’s laptop by simply recording him in a video chat and then using the blurry printout to authenticate with the face-recognition software.

I like to make fun of biometric authentication, mainly because it was overhyped in the 90′s as the authentication that will make remembering passwords obsolete. But it’s not useless technology – you just have to know how to use it.

Using a biometric system (this, or another) in a public place with a guard watching is good enough to make it difficult to hack. I imagine even a minimum-wage rentacop will notice when someone looking like Tom Cruise comes up to the biometric system with someone’s eyeballs in his hand. They should even notice if I come with a printout of someone else’s face. The same is true for passwods: a 50-character long password can be practically as strong as a 4 digit PIN if the proper lock out procedures are in place. Likewise, if I can try billions of password combinations per second then the difference between guessing a 8 character password and a 10 character password is just a few hours.


SCADA Security

SCADA Operator

I’ve been registered with the SCADA Security Mailing List for a while now, and I must say it is very informative and has some solid discussion about SCADA systems and security. If you are not familiar with what SCADA is, it stands for Supervisory Control And Data Acquisition. SCADA systems are generally used for controlling and maintaining public services and private sector systems such as but not limited to nuclear plants, environmental systems, industrial stations, etc. You can google for more information or check our SCADA’s Wikipedia Page.

Security has and also been a big issue with running SCADA systems, especially those connected and maintained over the internet, or really any kind of network. Firewalls and IDS’s can only do so much; the integrity of the applications must be a part of the solution, AND NOT COLLAPSE! There are also many books at amazon that deal with SCADA systems. Could the internal workings of outdated coding practices and weak security in the systems, that control our precious resources and way of life, prove to be insecure? You better believe it.


Who’s your SMTP daddy?

In a hotel in Beijing, using their wifi in the lobby. Everything goes fine until Noam tells me my email headers are weird.

Return-Path: aviram@hsia.com.cn
Received: (qmail 9613 invoked from network); 19 Nov 2008 13:26:43 -0000
Received: from mail.hsia.com.cn (HELO hsia.com.cn) (
by 0 with SMTP; 19 Nov 2008 13:26:43 -0000
Received: from FBH.hsia.com.cn ([])
by hsia.com.cn (8.13.1/8.13.1) with ESMTP id mAJDTJlY005475;
Wed, 19 Nov 2008 21:29:20 +0800
Received: from beat.local (unknown [])
by FBH.hsia.com.cn (Postfix) with ESMTP id 8AFEB520B0;
Wed, 19 Nov 2008 21:13:54 +0800 (CST)

Clearly I’m sending through another SMTP server, who goes as far as mangling my ‘Return-Path’ address header.

Only I’m not. My SMTP server is set (as always) to the corporate SMTP who is accessible through the VPN, in an encrypted connection that should not allow anyone to change fields. Just in case, I check it again. Yup, the SMTP server is there. So what’s up?
A quick investigation shows the following: The hotel’s network blocks my VPN (as some of them do) but happily resolves any unresolvable host name (such as my SMTP server’s hostname). This is resolved to a catch-all server that proxies everything. Transparently. (well, almost)

Lesson learned. Changed the hostname to the IP, and will soon switch to SSL based SMTP who will authenticate the server. In the meanwhile – be careful from helpful Beijing wifi providers who are only too happy to forward your mail on! (with some changes, of course).


Happy Birthday Morris!

Randy Abrams recently pointed out to me that today is the 20th anniversary of the Morris Worm. For all you kids out there who have no recollection of this event, I’ve just posted a blog at http://www.eset.com/threat-center/blog/?p=165 that recaps on the worm and includes some relevant references, but right now I want to expand on a thought I had while I was writing it.

The Morris worm was very much of its time. It was a proof of concept (actually of several concepts) item of malware that showed a certain interest in and knowledge of some vulnerabilities that were current at that time (mostly a fingerd buffer overflow exploit and a somewhat flaky implementation of sendmail debugging), and was clearly meant to be self-launching. Most current malware, while it may well use drive-by downloads and other exploits, seems to use some form of social engineering. So maybe the earlier CHRISTMA EXEC worm was the real pioneer, with its mass mailing payload and its chainletter appeal to the gullibility of the victim. Well, we can draw dotted lines between old and new malware from now to Christmas, which is the sort of thing that interests saddos like me but doesn’t necessarily gain us much in terms of securing the internet.

Looking through some historical resources, it strikes me that there are some moments in malware history that not only define the time, but in some way draw a line under it, though Morris was followed by a copycat VMS worm the following year). After that, though, we waited quite a while for a real mass mailer epidemic and for the big network worms of this decade. Melissa managed to mark both the beginning of heavy duty mass mailers and the end (or at least the decline) of macro malware. Yet there are no full stops here. In 2008, we’re still seeing new(-ish) stuff cheek-by-jowl with the sort of malware we’ve mostly forgotten about: old-time boot sector viruses and new-age MBR rootkits; macro viruses and office suite exploits; overflows and drive-bys; and an endless loop of social engineering tricks (phishes, 419s, fake admin messages, fake codecs, fake updates…) The only really substantial change is the disappearance of the hobbyist hacker/malware author, promoted into full-blown cyber-criminality.

It seems that what we really need to patch is human nature: the evil gene, the greed gene, the careless gene, the “what’s a patch?” gene, the “I can click on anything because I have anti-virus software” gene…




A few media sources seem to be picking up a press release from the University of Michigan.


This reports on “CloudAV,” a project and series of papers about having antivirus  etection run “in the cloud” rather than on the PC.


As usual, there seems to be some misunderstanding about what is going on here.   CloudAV is not really a new approach, it is simply the use of multiple scanners, which the  AV research community has advocated for years.  It’s like having a bunch of scanners installed on your desktop, or a system like Virustotal, with the exception that the scanners run on different computers so you get a bit of performance advantage (absent the bandwidth lag/drain for submitting files to multiple systems).


Secure coding practices – would you expect the RFC to follow them?

We recently did some work finding inherited vulnerabilities in SNMP supporting devices – mainly embedded/hardware.

SNMP like many other protocols is defined in several RFCs, starting with the basic RFC that describes the protocol structure and goes up to RFC 3414 which describes how authentication and encryption (referred to as privacy by the SNMP spec) are done.

The RFC describes a few algorithms, such as the one for key localization, in great detail – i.e. providing a C source code:

void password_to_key_md5(
u_char *password, /* IN */
u_int passwordlen, /* IN */
u_char *engineID, /* IN - pointer to snmpEngineID */
u_int engineLength,/* IN - length of snmpEngineID */
u_char *key) /* OUT - pointer to caller 16-octet buffer */
u_char *cp, password_buf[64];
u_long password_index = 0;
u_long count = 0, i;

MD5Init (&MD); /* initialize MD5 */

/* Use while loop until we've done 1 Megabyte */
while (count < 1048576) {
cp = password_buf;
for (i = 0; i < 64; i++) {
/* Take the next octet of the password, wrapping */
/* to the beginning of the password as necessary.*/
*cp++ = password[password_index++ % passwordlen];
MD5Update (&MD, password_buf, 64);
count += 64;
MD5Final (key, &MD); /* tell MD5 we're done */

/* Now localize the key with the engineID and pass */
/* through MD5 to produce final key */
/* May want to ensure that engineLength <= 32, */
/* otherwise need to use a buffer larger than 64 */
memcpy(password_buf, key, 16);
memcpy(password_buf+16, engineID, engineLength);
memcpy(password_buf+16+engineLength, key, 16);

MD5Update(&MD, password_buf, 32+engineLength);
MD5Final(key, &MD);

People reading this RFC would jump with joy and just copy paste the above code into their own code and continue on their work of getting SNMP to work on their hardware.

Little will they know that the RFC team has made notice that:

May want to ensure that engineLength < = 32, otherwise need to use a buffer larger than 64

“Ohh pff, who needs to ensure anything on my robust hardware – what is the worst that can happen, a server crash :D

Actually, the worst that can happen is a neat buffer overflow, as no one guarantees that the engineID is limited to 32 bytes, in reality the length is not limited by the transport layer (the ASN.1) but rather only by the RFC specification, which again not everyone checks or conforms to it by 100%.

I would expect the RFC editors/creators to place sample code that is secure. Something like so would have sufficed to prevent the code from being easily exploited:
memcpy(password_buf, key, 16);
memcpy(password_buf+16, engineID, engineLength < 32 ? engineLength : 32);
memcpy(password_buf+16+(engineLength < 32 ? engineLength : 32), key, 16);

Especially since Google searching the above example proved that quite a few people were too lazy to not only fix the security issue but too lazy to remove the embarrassing comment.