That’s the answer for all the security problems in the world !!!

Or was it 42? yeah 42… and then definitely firewall. Yeah, I’m sure of that.

Wait a minute - 42 is only the meaning of life… than definitely firewall is the only answer.

Ok ok, let me explain. In the past couple of years, Windows users received a built-in firewall by Microsoft (finally). Now many questions and comments I hear, read and see are “but I have a firewall …”.

Lets make some things clear. Firewall is a good thing, but its entire purpose in life is to filter packets. It does so by following sets of rules and instructions, and if it does not know what do with a certain communication, well, than it depends on the firewall - it will either block anything that it does not know about, or pass the communication.

Firewalls are only good for managing connections. It’s like a policeman that direct traffic on a junction that is very busy. It can stop it, move it to different location, or just let it flow. It’s good, when you know how to use it, but it’s not the answer for DoS attacks (good, expensive firewalls may have also some type of load balancing, but thats not what most of us expect from it).

Firewalls do not protect you from malicious content ! It is not even an Intrusion Prevention Server (IPS), and lets remember that even an IPS does not act as an IPS (but lets not return to that argument again).

An attacker can still attack you just as easy as before, only when you have firewall, it will block traffic that you know you do not like or wish to see.

So the next time I hear “but I have a firewall, why did XYZ happen?”, I’ll take off, FAST…

We all know this situation: Junk emails.

Usually it’s just annoying commercial stuff (do you want Viagra and then find a sex partner ?), or the phising type such as Lottery wins (Bill Gates, look behind you), and of course it might have some XSS attacks or an ActiveX that allows attackers to hijack users’ machines and make them zombies.

There is Blue Security’s suggestion to DoS spammers, where it will not be the Blue Security hands that pull the trigger - it will be the user that is sick and tired from spammers that will do it for them.

There are many Pros and Cons for that solution, and I think that the murder of the Russian spammer set a new level for what people are willing to do to spammers. While this specifically is too much, it displays the problem that spammers create for users.

Recently the Israeli court (the same country that Blue Security comes from), decided that if you published somehow your email address it is OK for businesses to spam you (whats the email of the Judge, I wonder?).

My idea is to create a big database that users can register themselves into what ads and other junkmail they are willing to receive in their email, and only this type of email will be sent to them, while users that are not registered to this services, will not get any spam at all.
Anyone that will spam users that are not listed, will need to pay a huge amount of money to the that user, and to the ISP that they sent the email using their services (500% of the annual income of the company).

Another idea, is to close ISP’s that allow such actions of sending mass emails to users. We need to close them for a month, in order to make them bankrupt (customers will leave them, and not many customers will join such service providers). That way most ISP’s will stop allowing such things, and also start to offer their clients protection as part of the email address deal.

Now we need to test it, in order to see how it works.

The EFF has broken the tracking code used by Xerox DocuColor. The “DocuColor” prints a series of yellow dots on a 15×8 grid on every page to identify the printer.

The EFF has created a web application that can be used to decode the dots which hide the time, date, and serial number of the printer.

As by hand of “god” - a worm that exploits a cross site scripting issue in MySpace has caused numerous users to become “infected” with a piece of javascript that would add them to the buddy list of “Samy”.

This worm comes a few days after we have published an article predicting the spread of such worms. We didn’t know it would happen so quickly, but hey, don’t say we didn’t warn you.

Maybe it will cause webmasters to regard cross site scripting as more than just an inconvenience.

The Internet as it is known to us today is decentralized through an hierarchic network, where domain naming services are provided by international corporations funded by government institutions. Every bit and byte of information is transferred via commercial backbone routers.

But big brother’s eye never sleeps. It is no longer a myth that governments want, try and sometimes even “control” the Internet.

Netsukuku is an attempt to implement a “real” decentralized network, without any kind of root servers or backbones. All the communication is transmitted peer to peer. Big brother - no, cyberpunk - yes.

Netsukuku is a physical network, i.e. it does not rely upon any existing infrastructure, “therefore computers need to be physically linked to each other for Netsukuku to be able to constructs networking routes.”

Instead of DNS, Netsukuku uses an “anarchy” domain name system ANDNA (Abnormal Netsukuku Domain Name Anarchy). Each peer keeps and maintains its routing table using its own proprietary algorithm called Quantum Shortest Path Netsukuku (wow ).

Anyway … it is a nice project, visit http://netsukuku.freaknet.org/ to learn more about it.

If you haven’t heard about Skype, go check it out. Skype is a PC< -->PC and PC< -->POTS VoIP application.

In their web site, they claim that all their calls are encrypted:

Skype uses AES (Advanced Encryption Standard), also known as Rijndael, which is used by U.S. Government organizations to protect sensitive, information. Skype uses 256-bit encryption, which has a total of 1.1 x 1077 possible keys, in order to actively encrypt the data in each Skype call or instant message. Skype uses 1024 bit RSA to negotiate symmetric AES keys. User public keys are certified by the Skype server at login using 1536 or 2048-bit RSA certificates.

This quote really makes sense to an encryption expert. If:

• I am to trust what Skype say here
• Skype actually implemented what they say they did
• Skype’s implementation is correct
• Skype’s implementation is bug free

then this encryption is pretty good considering today’s standards.

But there’s no way for me to know. Skype, being closed-source, won’t let me look at their encryption code. As far as I know they might not be encrypting at all, or might doing so in a way that is vulnrable. I have absolutely no way to verify that their encryption is worth anything. For all intents and purposes, my Skype call is considered clear-text, because for all I know it might as well be so.

It all comes back to Trust. If you trust Skype, you can accept that your calls are encrypted. If you don’t (and frankly I have no reason to trust them) you cannot treat Skype conversations as encrypted.

[Originally posted in my blog — Arik]

Update October 22nd:

In a strange coincidence, Skype just came out with this blog entry about an outside review of their system.

While this is laudable, I cannot see how this improves the security of their system. For all we know, the evaluation may be accurate for the piece of source code analyzed - but we know absolutely nothing on the security of the piece of binary that runs on our system. We can’t look into its code, nor can we do black-box testing with an interoperable client. We need to take them on their word that the security evaluation actually relates to the code running on my computer. We still need to trust Skype that this holds true.

I have been able to cause Acroread to do something very “bad”, to SIGSEGV. I didn’t do it by providing it a malicious PDF, or by supplying very long buffers, rather trying to copy-paste from a document found on the Internet. The problem seems to be occurring whenever Acrobat tries to copy a text that has been colored.

To trigger the vulnerability you will need the following document www.usb.org/developers/devclass_docs/HID1_11.pdf, look up Protocol 1 (Keyboard), copy the section found after The following represents a Report descriptor for a boot interface for a keyboard and try pasting it into a KMail message, if you debug the process the following will appear:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1092234144 (LWP 9147)]
0x0876b865 in IPMachine::SetDefaultColorSpaces ()
(gdb) bt

#0 0x0876b865 in IPMachine::SetDefaultColorSpaces ()
#1 0x0881fd77 in PDExecutorFree ()
#2 0x08820099 in PDCreateExecutor ()
#3 0x0860161b in AVRealCosDrawer::CreateExecutor ()
#4 0x08600aab in AVRealCosDrawer::SetupContentAndPort ()
#5 0x08601fbe in AVRealCosDrawer::InitializeForDrawing ()
#6 0x085fe0fb in AVRealCosDrawer::AVRealCosDrawer ()
#7 0x085fc8ee in AVCosDrawer::Create ()
#8 0x08602819 in AVRealPageDrawer::InitializeForDrawing ()
#9 0x086025a3 in AVRealPageDrawer::AVRealPageDrawer ()
#10 0x08603b50 in AVPageDrawer::Create ()
#11 0x084022a9 in AVGrafSelectGetBoundingRect ()
#12 0x0833b29e in UnixBitMapGetSelectionPixmap ()
#13 0x0833bad8 in get_clipboard_data ()
#14 0x40aefdd0 in gtk_clipboard_get_type () from /usr/lib/libgtk-x11-2.0.so.0
#15 0x40b97496 in _gtk_marshal_VOID__BOXED_UINT_UINT () from /usr/lib/libgtk-x11-2.0.so.0
#16 0x40e5fcce in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#17 0x40e6f15d in g_signal_stop_emission () from /usr/lib/libgobject-2.0.so.0
#18 0x40e705e7 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#19 0x40e73b74 in g_signal_emit_by_name () from /usr/lib/libgobject-2.0.so.0
#20 0x40bd5b39 in _gtk_selection_notify () from /usr/lib/libgtk-x11-2.0.so.0
#21 0x40bd64a9 in _gtk_selection_request () from /usr/lib/libgtk-x11-2.0.so.0
#22 0x40b95c7a in _gtk_marshal_BOOLEAN__BOXED () from /usr/lib/libgtk-x11-2.0.so.0
#23 0x40e5f768 in g_cclosure_new_swap () from /usr/lib/libgobject-2.0.so.0
#24 0x40e5fcce in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#25 0x40e6f362 in g_signal_stop_emission () from /usr/lib/libgobject-2.0.so.0
#26 0x40e703a5 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#27 0x40e7099e in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#28 0x40c734d8 in gtk_widget_activate () from /usr/lib/libgtk-x11-2.0.so.0
#29 0x40b9460e in gtk_main_do_event () from /usr/lib/libgtk-x11-2.0.so.0
#30 0x40d7f42a in _gdk_events_queue () from /usr/lib/libgdk-x11-2.0.so.0
#31 0x40eb6a21 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#32 0x40eb9c77 in g_main_context_check () from /usr/lib/libglib-2.0.so.0
#33 0x40eba1c8 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#34 0x40b93849 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#35 0x08331223 in UnixAppMain ()
#36 0x0833026d in main ()


If this vulnerability is exploitable, all you need to do is to convince someone to copy paste the content of the PDF, with the different color, to any other program under Linux - i.e. copy from the PDF to KMail, OpenOffice, etc.

I’ve been saying that for years, and I know other people have been saying it for quite a while. I heard Richard say on more than one occasion “IDS is dead”, and almost hugged him for it. But I like the quote in the title even better.

Then what made the IDS market a billion dollar market for the last few years (with very few signs of slowing down)? Surely, it’s not because IDS has ever stopped any attacks (don’t talk to me about IPS, please. Most of the IPS’s are just IDS with blocking capabilities which means no one ever puts them in ‘blocking’ mode by default. The rest are usually so sophisticated their “AI” engines can’t even stop an nmap connect scan). It’s also not because of proven ROI, better ability to manage the network, or saving time to the sys admin. What makes people buy it, then?

I wish I knew the answer to that. But in the meanwhile, I’m glad to see sense is finally returning to our little world of security. Maybe we’ll reach a point where security products will finally provide security?…

Here is a very old and known issue with Mac: Too many ways to bypass authentications and too few fixes.

A week ago, a person emailed us (SecuriTeam) about another bypassing issue in Mac OS X Tiger (10.4 family).

The person told us that he was able to change the root password (because he couldn’t remembered it) using the Netinfo program.

Sounds ok… on any *nix I can change the root password. All I need is to become a sudoer, or become root some other way, without necessarily knowing the root password.

But here, the person did not have any special privileges, as far as I could understand, and still he was able to change the ROOT password.

I don’t have a Mac to test this issue on so searching SecuriTeam and using google I was able to find that this issue was known even before Mac OS X. That is, Mac users could bypass user access restrictions. There was an unofficial patch to fix this issue, and theoretically, Apple fixed this for Tiger as well.

But this person claims that his system is up to date, and that he can still bypass any root based authentication in order to change the password.

There is no reason to publish this as news in SecuriTeam, because this is a known issue that was reported back in 2001 by us. Repeating the same story where the only change is that it works with newer versions is useless, so I decided to blog it instead.

I really hope that Apple fixes this issue once and for all, but then again, thats why I prefer open source products. If the vendor does not fix the problem, I can always find a way to fix it, at least for myself…

Okay, sharing MP3’s is a no-no, right?

“Every time you download music, God kills a kitten.” and stuff.

Arr, I’m an evil Internet pirate.

Well, the lyrics alone just don’t convey how extremely hilarious this song really is, but…

Song: Who Are You, Defenders Of The Universe?
Artists: The Dears

Partial lyrics:

We want your information
We will do what we must
But not here or in front of people or
on the phone

We’re not all blood-sucking leeches
For we all have families too
But that don’t mean that we really
love them or that we don’t
‘Cos I can’t love you
And you can’t love me
But I can love you
And you can lover me

Gadi Evron,
ge@linuxbox.org.

A recently published research paper claims that:
“Nematode infestation on a potato crop results in tuber yield decline and/or reduction in quality, thereby contributing economic loss to the industry”.

How is this related to security?

I can just imagine the same research results but for a different type of Nematodes, Dave Aitel’s Nematode.

Dave Aitel’s Nematodes are designed to be beneficial, exploit a vulnerability in a product, once it has been successfully exploited instead of cause harm cause good - i.e. install a piece of software, initiate an update sequence etc, which in turn will close the security vulnerability.

This approach is both arrogant as well as plain silly. It would be unthinkable to release a weakened small pox virus or even the flue amongst the population just to inoculate them, as you can never control the virus once it has been release. The same goes for such a beneficial Nematode, once it is out of your lab it is out of your hands.

Dave Aitel is not the first person to tackle the idea of beneficial Nematodes, HP has research into the idea and have cooked up solution of Active Countermeasures, which is basically the same idea, release a piece of software that will fix any computer not immune to a certain type of exploit/vulnerability.

It would be sad to see this approach become adopted into the security community, as it means that security community have reached the conclusion that the only way to solve things is by brute force.

It started off with the Nessus open source project being commercialized by its main author’s company Tenable, continued on with the Snort open source project being commercialized by its main author’s Sourcefire and has moved to Check Point buying out Sourcefire, and effectively all the rights to the Snort project.

It would be an interesting development to see whether this is going to mark the first in many more to come open sourced projects that mature into a commercial company that is then bought by a large player. I wonder if this will become a new way to earn cash for time investment in open source projects.

I can already picture it, in a few years people will conduct, like they do - or should do - today for fire drills, cyberattack drills were they will test the durability and readiness of of their employees and company for a cyberattack.

Until that happens, the Japanese government has decided that it will forceask a few public and private companies to play part in an exercise to see how well prepare they are for an Internet based attack.

These exercises are planned to:
“… experts will check computer security by gauging the time and work necessary for the participants to normalize their networks”.

Haa? what will they be checking? I would check whether they were able to penetrate them or not, not whether they were able to normalize their networks. Normalized means that they were penetrated, but were able to regain control, they should be investigating how they gained control in the first place!

Anyway it would be interesting to see what are the results from this exercise, whether it will become more a routine for the Japanese government/companies, and whether it will be endorsed in other countries.

You probably know the current situation in one way or another:
You see a computer of a a friend (or just someone you know) that is not up to date, (usually it’s so not up to date, that you can see the interface and understand that), and when you give them a “tip” to update their Windows XP, they answer, “I saw the new interface in Windows XP SP2, and I didn’t like it one bit”.

Lets keep this example on Windows for now, because it’s the majority of users these days .

Then when you attempt to say something like “but Microsoft fixed a lot of security vulnerabilities”, you either get a response such as “nothing will happen to me” or you lose the conversation, and thats what I’m going to talk about in this blog entry.

I do not like the idea that an OS is binded with its GUI, because the vendor teaches the common users that GUI is the only real thing that is important. Thats true btw for many other OS’s and not just for Microsoft (Mac anyone? maybe you still use BeOS, OS/2 or even KDE/Gnome based Linux?).

The reason for that is simple. In WYSIWYG environments, you do not really know what you are getting… well you never do know what you get, but on GUI, people expect GUI updates. They do not accept that there can be other types of fixes, and they do not understand the importance of these updates.

The most scary part here, is that most of them do not think that they will be vulnerable although they do keep an AntiVirus (usually not 100% up to date), they understand that there is a spyware someplace that can hurt them, and other issues. But still, “If I can not see what was changed, why should I update ?” in the more naive response or “but nothing will happen to me, I’m behind firewall/antivirus/router/Other”.

In order to convince these people I think that we should use exploits that present the user with a GUI notification that they are vulnerable, like an “xmessage” with current user privileges (or use xhost for gaining X running option) on X based OSes, or just a popup dialog that can not be closed, or will appear at “random” .
Or just crashing programs and leaving a message in a text file on the desktop “upgrade me” or something similar.

Regardless of April’s fools day where it might be funny to see users suffer, they will also see that they are vulnerable, and be motivated to find a way to fix this problem.

Now all we should do is convince vendors to add this type of features instead of black hats breaking and entering to users’ computers and do what ever they want.

According to F-Secure:
“As the scam was uncovered, Nordea Sweden shut down their whole Internet bank. Apparently this was done in order to prevent the scammers from using the codes to move money around”.

This is pretty drastic majors for a bank as a response to a phishing scam. But hay, now the phishers have less to worry about, they can go on phishing and the customer will never be able to know they are being scamed, as they can’t go to the real bank’s web site .