Sony about rootkits: Not many USM-F sticks were sold

New information is available related to the rootkit issue of Sony MicroVault USB sticks including fingerprint reader.

One of the stories is this Computer Weekly article which states:

A Sony spokesperson said: “While relatively small numbers of these models were sold, we are taking the matter seriously and conducting an internal investigation. No customers have reported problems related to situation to date.”

And earlier, F-Secure’s Mikko Hyppönen has reported that this issue has a lot of reasons which make it less serious than Sony BMG’s XCP issue was.


Windows screensaver lock and lecturing

i was giving a lecture at nps yesterday, and while i was unlocking my laptop (xp), suddently, before unlocked, a file open window pops up. i could browse, and more importantly, open files. the first choice of the system was .hlp.

can someone say pwnage? anyone up to doing some monkey fuzzing on that interface?

gadi evron,


Now fingerprint reader and rootkits – Sony did it again

This report of F-Secure’s Mika Ståhlberg states that MicroVault USM-F fingerprint reader software shipped with that Sony USB stick installs a driver that is hiding a directory under C:\Windows.

And – reportedly the guys of FS research laboratory

also tested the latest software version available from Sony at and this version also contains the same hiding functionality. [added a hyperlink]

Hmmm – time to wear my white T-shirt with text familiar to many readers – “Most people don’t even know what a rootkit is, so why should they care about it?”


Bluetooth 2.1+EDR – officially here

Bluetooth Special Interest Group (SIG) has officially announced Core Specification v2.1 + EDR (i.e. Enhanced Data Rate) of Bluetooth.

The specification document itself is located here [.zip package].

The group states the following:

Improved pairing also offers “Man in the Middle” protection that in reality eliminates the possiblity for an undetected middle man intercepting information.


MPack’s Dream Coders Team being interviewed

Mr. Robert Lemos of SecurityFocus has released an IM interview of Dream Coders Team – a Russian team behind the MPack kit.


It’s really worth of reading!


Free gas?

You think?

I wonder if that is real.


London Car Bombs and Internet Forums

richard m. smith wrote on funsec:

subject: tracking down the london bombers via an ip address

was london bomb plot heralded on web?

internet forum comment from night before: “london shall be bombed”

hours before london explosives technicians dismantled a large car bomb in the heart of the british capital’s tourist-rich theater district, a message appeared on one of the most widely used jihadist internet forums, saying: “today i say: rejoice, by allah, london shall be bombed.”

cbs news found the posting, which went on for nearly 300 words, on the “al hesbah” chat room. it was left by a person who goes by the name abu osama al-hazeen, who appears regularly on the forum. the comment was posted on the forum, according to time stamp, at 08:09 a.m. british time on june 28 — about 17 hours before the bomb was found early on june 29.

al hesbah is frequently used by international sunni militant groups, including al qaeda and the taliban, to post propaganda videos and messages in their fight against the west.

there was no way for cbs news to independently confirm any connection between the posting made thursday night and the car bomb found friday.

al-hazeen’s message begins: “in the name of god, the most compassionate, the most merciful. is britain longing for al qaeda’s bombings?”

al-hazeen decries the recent knighthood of controversial author salman rushdie as a blow felt by all british muslims. “this ‘honoring’ came at a crucial time, a time when the whole nation is reeling from the crusaders attacks on all muslim lands,” he said, in an apparent reference to the british role in iraq.

this is of course, scary and interesting, but i’d like to concentrate on the subject line of richard’s message:
tracking down the london bombers via an ip address

the more important thing to note here, is the fact these cyber terrorism forums have a real connection to real terrorism, rather than how they may be used to try and track the bad guys down (although that is of course, interesting).

it may be stating the obvious, and these forums are likely already tracked: i am unsure if this article will hurt plausible current surveilance efforts, but i am sure stating the obvious about this connection between the real and virtual worlds when it comes to terrorism, is important.

gadi evron,


Cracking to Windows with System Recovery – and no warning from Redmond

There was an interesting press meeting here in Finland today. Mr. Kimmo Rousku presented the Command Prompt feature of Vista’s System Recovery – i.e. how to crack to Vista/XP/2003 computer using only Vista installation media and System Recovery option.

This is a short version of summary described at Web page of Mr. Rousku:

This problematic security feature exists because Windows Vista Repair Computer / System Recovery program enables the use of command prompt without any user authentication with highest possible – system-level – priviledges.

Cracking Windows operating systems has been possible by using cracking software found from various web pages. This is the first time when cracking Windows operating systems is really easy and needs no deeper technical knowledge.

The report shows in a very detailed way how it’s possible to use Takeown and Icacls command to take ownership of ACL-protected files or folders too.
Mr. Kimmo Bergius, the Chief Security Advisor of Microsoft Finland confirmed today in the press meeting mentioned that there is not an update coming. Additionally, Mr. Bergius states that there is a documentation advising the use of HD encryption and BIOS password, BUT this documentation doesn’t mention this security problem in any way.

Yes, this is not the first time when this problem was disclosed. But where is the missing KB document, instructions related to bootup order and the benefit of encryption when switching to Vista.

The most important part comes here.

* How to protect:

1. Change BIOS boot order to disable booting from other media than hard disk
2. Then, set BIOS password to prevent bad guys to change this setting
3. Encrypt files with EFS
4. When using laptops, you have no reasons not to use HD encryption!

Mr. Rousku is well-known non-fiction writer. He works as CIO of Finnish National Research and Development Centre for Welfare and Health (aka Stakes).

Update: Pictures from the press meeting:

Mr. Rousku
Mr. Bergius
A screenshot of System Recovery / Command Prompt menu


The attacks on Estonia by Russians (or Russia?)

people have been wondering why i’ve been keeping quiet on this issue, especially since i was right there helping out.

a lot of people had information to share and emotions to get out of the way. also, it was really not my place reply on this – with all the work done by the estonians, my contributions were secondary. mr. alexander harrowell discussed this with me off mailing lists, and our discussions are public on his blog. information from bill woodcock on nanog was also sound.

as to what actually happened over there, more information should become available soon and i will send it here. i keep getting stuck when trying to write the post-mortem and attack/defense analysis as i keep hitting a stone wall i did not expect: strategy. suggestions for the future is also a part of that document, so i will speed it up with a more down-to-earth technical analysis (which is what i promised cert-ee).

in the past i’ve been able to consider information warfare as a part of a larger strategy, utilizing it as a weapon. i was able to think of impact and tools, not to mention (mostly) disconnected attacks and defenses.

i keep seeing strategy for the use in information warfare battles as i write this document on what happened in estonia, and i believe i need more time to explore this against my previous take on the issue, as well as take a look at some classics such as clausewitz, as posh as
it may sound.


gadi evron,


War Fears Turn Digital After Data Siege in Estonia

The New York Times carries a good popular-level accounting of what happened in the recent Estonian information warfare incident. Suggested reading. (subscription required)
Syndicated: Times Daily


I’m Federal Air Marshal and I found my identity from TSA’s HD

From USA Today article:

“If that information is out there, it’s very easy to find out who they are,” said John Adler, executive vice president of the Federal Law Enforcement Officers Association, whose members include air marshals. Adler said terrorists could use personnel information to find where air marshals live, photograph them and disseminate the photos.

This is really serious now.

The subject could be “I’m Federal Air Marshal and I bought my identity from TSA’s HD” as well.


Cryptome has a new ISP

It appears that has switched to the new ISP today.

This is what the site is reporting at their main page:

Cryptome is now on a new ISP, Network Solutions, another US giant like Verio,
closely linked to the authorities. We’ll see if it can take the heat or cave.
We intend to test all the giants if necessary to see what is up with them and
the censors: if one buckles we’ll sign up with another.

Some background information is available via this link: Cryptome Shutdown by Verio/NTT Prime Suspect.


Al-Qaeda’s planned attack in London – that’s why we need CPNI

The recent Times Online report Al-Qaeda plot to bring down UK internet shows that massive terrorism operations are being prepared still. The target was the headquarters of Telehouse Europe located in Docklands, London.


The discovery led Eliza Manningham-Buller, head of MI5, to set up the Centre for the Protection of National Infrastructure last month. It is a special MI5 unit…

There are several Internet Exchange Points in London, but we don’t know if this was the only target being planned.

What CPNI? The unit was founded on 1st February and there is no NISCC (National Infrastructure Security Co-ordination Centre) any more.

It appears that Telehouse Docklands has detailed Building Specifications listed at their Main page(!).


Wireless “Drive-by Pharming Threat”


read this before reading this blog entry.

this was posted to bugtraq today. let’s see what this is about…

date: thu, 15 feb 2007 13:02:46 -0800
from: zulfikar ramzan
subject: drive-by pharming threat

we discovered a new potential threat that we term “drive-by pharming”. an attacker can create a web page containing a simple piece of malicious javascript code. when the page is viewed, the code makes a login attempt into the user’s home broadband router and attempts to change its dns server settings (e.g., to point the user to an attacker-controlled dns server).
once the user’s machine receives the updated dns settings from the router (e.g., after the machine is rebooted) future dns request are made to and resolved by the attacker’s dns server.

the main condition for the attack to be successful is that the attacker can
guess the router password (which can be very easy to do since these home
routers come with a default password that is uniform, well known, and often
never changed).  note that the attack does not require the user to download
any malicious software – simply viewing a web page with the malicious
javascript code is enough.

we\’ve written proof of concept code that can successfully carry out the
steps of the attack on linksys, d-link, and netgear home routers.  if users
change their home broadband router passwords to something difficult for an
attacker to guess, they are safe from this threat.

additional details on the attack can be found at:


zulfikar ramzan


zulfikar ramzan
sr. principal security researcher
advanced threat research
symantec corporation
- —————————————————–
- —————————————————–
this message (including any attachments) is intended only for the use of
the individual or entity to which it is addressed and may contain
information that is non-public, proprietary, privileged, confidential, and
exempt from disclosure under applicable law or may constitute as attorney

the main condition for the attack to be successful is that the attacker can guess the router password (which can be very easy to do since these home routers come with a default password that is uniform, well known, and often never changed). note that the attack does not require the user to download any malicious software – simply viewing a web page with the malicious javascript code is enough.

we’ve written proof of concept code that can successfully carry out the steps of the attack on linksys, d-link, and netgear home routers. if users change their home broadband router passwords to something difficult for an attacker to guess, they are safe from this threat.

additional details on the attack can be found at:
drive-by phraming


zulfikar ramzan

zulfikar ramzan
sr. principal security researcher
advanced threat research
symantec corporation

in discussions of this issue, fergie (paul ferguson) said, and i replied:

on fri, 16 feb 2007, fergie wrote:
> i don’t know — i found this whole “report” somewhat dubious, if
> not downright opportunist: hasn’t this “vulnerability” basically
> existed since, like, forever?
> i write it off as marketing opportunism… among other things. :-)

well duh. think rsa and a brand new idea they did a pr about – phishing mitm kit (think phishing: user >> fake site >> bank).

nothing is really new in security, we have seen malware/etc. change the hosts file for years now, not to mention domain hijacking.

we have also seen wireless brute-forcing/etc./what-not.

the one thing about the folks at symc who did this release is that they actually know their ****. meaning, someone took these two technology ideas and made something new from them, which is:
break into wireless routers and put your dns server in them for hijacking purposes. symantec just reported it to us.

it’s cool, it’s “new” and it won’t be a huge problem quite yet.

i remember a thread from nanog a couple of years back when i mentioned google and all these other national/international wireless providers better be ready with physical operational folks that will track down rougeaps, etc. cop cars with triangulation devices? :)

it was a vulnerability waiting to happen which wasn’t exploited, meaning it didn’t get much attention. this is much like the days when bots weretrojan horses as botnets didn’t yet exist.

wireless used to be used for hacking into a network-connected machine, now it is suddenly used for the sake of it being wireless. still network-connected as a goal, but it is no longer just tcp/ip which playsthe game.

good news: these are dns servers we can take-down. fun, yet another escalation war.


this is very interesting, although not too exciting. nice work by the guys at symantec.

gadi evron,


Colin Powell’s RSA Talk

none of the quotes in this text are in any way exact or even close to what was said, and are very much biased to what i heard. this is just an opinion piece in a blog, please treat it as such.

at rsa much like with most conferences, networking is key and talks are secondary, or at least that’s the way it is for me. one of the talks i went to was the end keynote – colin powell.

dr. powell is a very impressive and charismatic fellow. he has a good sense of humour and gives the impression of a knowledgeable person. he started his talk with a joke “i am very happy to be welcome here at rsa.” *pause* “in fact, i’m happy to be welcome just about anywhere.” :)



Skype’s motherboard serial number spy – part of DRM technology

On Tuesday the blog posting Skype Reads Your BIOS and Motherboard Serial Number started an interesting discussion about the ways to identify the specific Skype user (or something else!).

The Chief Security Officer Mr. Kurt Sauer has released an entry Skype Extras plug-in manager, which states the following:

The EasyBits software includes a form of digital rights management functionality intended to protect commercial software, such as plug-ins, from illegal redistribution or unlicensed use. To enforce these license agreements, the EasyBits framework attempts to uniquely identify what physical computer it’s running on.

[italics formatting by the blog author]

Technically the file was part of this process. But not any more.

Reportedly Skype version (released this week!) no longer attemps to read the serial number.
It appears that the existence of file C:\Users\nnn\AppData\Local\Temp\12\ was reported to Developer Zone community on 16th Dec, ’06 already.

It is not known if the company received or saved the serial numbers.

Download link for the updated Windows version: