Insecurity #9 (comic strip)

Insecurity, ninth strip of this new comics.

Insecurity #9

Click on the image for full size.


SCADA Watch: Hackers Penetrate Water System Computers

fergie (paul ferguson) just sent this to funsec:

from the duh-its-a-bot-department!

via abc news’ “the blotter”.


a foreign hacker who penetrated security at a harrisburg, pa., water
filtering plant is under investigation by the fbi for planting
malicious software capable of affecting the plant’s water treatment
operations, abc news has learned.

the hacker tried to covertly use the computer system as its own
distribution system for e-mails or pirated software, officials told abc.


Old Internet Explorer Window Injection Vulnerability strikes to IE7

First we had Internet Explorer 7 “mhtml:” Redirection Information Disclosure issue and then Internet Explorer 7 Popup Address Bar Spoofing Weakness was reported.

Windows Injection case was originally discovered by Secunia Research guys in November 2004 already. MSIE versions 5.01, 5.5 and 6.0 are unpatched still and Mr. Per Gravgaard reported Internet Explorer 7 as affected today via new SA22628 advisory.

Microsoft Internet Explorer team had almost two years to fix the issue but they didn’t fix it.

Test link is located at the following URL: 


RFIDIOt released RFID E-passport skimming PoC

Mr. Adam Laurie, UK has recently posted the demonstration code (Python) which

…will exchange crypto keys with the passport and read and
display the contents therein, including the facial image and the
personal data printed in the passport. Currently the data read is
limited to the following objects:


Project site (it stands for “RFID IO tools“) has other RFID passport related material as well.

This week with reported vulnerabilities in First-Generation RFID enabled credit cards is not good news to RFID technology! These NBC Today video and YouTube demonstration video show the skimming attack etc.

I’m not saying “Enjoy!”, I’m saying “Be careful!”


e360 vs. Spamhaus via Tucows (round #3)

e360 is going after spamhaus again, this time trying to use the us marshall service to
seize from tucows, inc.

“game on.”

gadi evron,


Anecdotal story about myself, worm writing and Emergent behavior in Worms

When I first started [I was about 13 & 1/2] working with computers I was really interested in figuring out how the ‘did what they did’. So much so that I was tinkering with assembler within 6 months of getting a computer, not that I accomplished much at that time. I didn’t have internet access so my only ‘escape’ from the real world was delving deeper into the machine. I quickly developed programming skills and was becoming trapped by the limits imposed in QuickBasic (hey we all learn somehwere :D ). I went back to looking at assembler since I knew I could encode byte code into the basic programs. After that I made some great mode 13 games and demos. (more…)


The real story behind BT buying Counterpane!

From “Schneier on Security“:

FLUNKY: Sir, that Schneier person called again. He left a detailed


XSS Fragmentation Attacks

A newly released paper shows how a fragmentation attack can be used to cause web site that don’t filter out content too strictly to include arbitrary javascript which in turn can be used to cause a cross site scripting vulnerability. One such web site is of course

The concept basically stems from the idea that if the web site looks for tags when it filters out content, then using broken tag content will render the filtering mechanism useless.

You can read more about this in the following link.


5 minutes of glory

I have noticed over the couple last weeks that the amount of vulnerabilities being discovered in PHP related products have soared. This might have been a good thing if these vulnerabilities weren’t sometimes fictitious.

Take this example:
Smarty-2.6.1 Remote File Include Vulnerabilities

The poster of the vulnerability mentions these lines of code as being vulnerable:
require_once ‘./config.php’;
require_once SMARTY_DIR . ‘Smarty.class.php’;
require_once ‘PHPUnit.php’;

And further says that by passing:

He is able to cause the PHP code to include arbitrary code. The vulnerability is simply not there, credit is due to J. Carlos Nieto for noting it first.

Is this a single incident? No, another example is a vulnerability titled:
gcards (languagefile) Remote File Include


Real life uses for vulnerabilities: [funsec] Haxdoor: UK Police Count 8, 500 Victims in Data Theft (So Far)

as can be seen in the quoted message below –

so, here we go. real-life uses for vulnerabilities.

below is an example of just one “drop-zone” server in the united states, which has “600 financial companies and banks”.

several gigs of data.

how do these things work?


Firefox 2.0 with phishing detection arrived

Firefox version 2.0 is officially out now.

Mozilla Foundation has introduced a new Phishing Protection page at the same time:

Firefox 2 contains a built-in Phishing Protection feature that warns you of suspected Web forgeries, and offers to take you directly to a search page so you can find the real Web site you were looking for. You can test the Phishing Protection feature by browsing to this test site.

Page Known Vulnerabilities in Mozilla Products will be likely updated shortly too.

It appears that the most of localized builds are available.

Update 26th Oct: There was no security fixes included this time.


Vulnerability automation and Botnet “solutions” I expect to see this year

so, what i am going to talk about… a tad bit of history on vulnerabilities and their use on the internet, and then, what we are going to see on corporate, isp and internet security relating to botnets this coming year.

vulnerabilities don’t exist for the sake of vulnerabilities. they are used for something, they are a tool. botnets are much the same, using vulnerabilities on the next layer.

this past year we have seen how disclosed vulnerabilities, patched vulnerabilities and 0days have been utilized by automated kits. an inter-linked system of websites which download malicious code (update the kits), try to infect millions of users from just a couple dozen main hubs, and react to the environment.
if a certain vulnerability is seen to be more successful on certain os types or if one is found to not work, the kit will be fixed accordingly and distributed. often immediately after a patch tuesday, likely that same friday evening.

this way, income can be maximized with the number of infections, data stolen and thus roi. both from the expected response time of the vendors as well as how many victims can be reached in that window.

one such kit is webattacker, which has recently been getting more known in public circles.


Re-branding IPS as an anti botnet tool

i have seen a pr last month from mcafee on this issue, and now they issued another one.

for most cases, i don’t believe in ids products.

i think that trying to pitch i[dp]s as a solution for botnets is technologically silly, but marketing-wise right on the spot. as the solution it is plain and simple silly.
a lot of security vendors will now start taking that approach, dealing with the buzzword.

an ips will not cure your botnet problems. it may help pinpoint some bots (or similar) on your network, which is important, but that’s about it.

i wish mcafee all the luck in the world, but this is, in my opinion, way
way way over-hyped:

in another pr they present a case study on how they saved a south american
country from a botnet attack using their ips. i would like to see
more.. or something, to back it up as to how, before i state my opinion.

what do you think?

gadi evron,


Money Mule Recruitment Over IM

how many times have you received an email offering “work from home” or 75k a year? these are money mule recruitment emails.

a money mule is much like a drugs mule. the mule facilitates the transfer of the money as a middle-man. if say, an eastern european mobster wants to get the money he stole from a bank account in the us by the means of phishing, he’d have to somehow transfer that money.

the money mule would get the money, keep a small percentage and send the rest via the anonymous western union, laundering it.

today was the first time we observed a money mule recruitment happening on instant messaging.

be careful on what you believe, no matter if via email, the phone or im.

gadi evron,


More on Joanna Rutkowska Blue Pill and the New Vista

so, blue pill no longer works on vista. well, that’s too bad. after talking to a few friends of mine, i decided writing a bit more about this.

the main question following this news is: does that mean we are now secure?

the answer, plain and simple, is no.


1. there are other rootkit and trojan horse technologies.
2. this did not solve the problem, it just made sure a driver would have to be loaded to make it work. as a rootkit is being installed, i don’t see this as much of a set-back.

what it is a set-back for, is legitimate software development. as an example, a hex editor. the devlopers would have to create a driver for this purpose specifically. i can see how this can become an issue for a lot of the software out there which needs to access the drive. now they can’t.

a driver will be written and released for bad guys to use with their backdoor tools.

to quote joanna on this issue, from the same blog:

imagine a company wanting to release e.g. a disk editor. now, with the blocked write access to raw disk sectors from usermode, the company would have to provide their own custom, but 100% legal, kernel driver for allowing their, again 100% legal, application (disk editor), to access those disk sectors, right? of course, the disk editor’s auxiliary driver would have to be signed – after all it’s a legal driver, designed for legal purposes and ideally having neither implementation nor design bugs! but, on the other hand, there is nothing which could stop an attacker from “borrowing” such a signed driver and using it to perform the pagefile attack. the point here is, again, there is no bug in the driver, so there is no reason for revoking a signature of the driver. even if we discovered that such driver is actually used by some people to conduct the attack!

but it seems that ms actually decided to ignore those suggestions and implemented the easiest solution, ignoring the fact that it really doesn’t solve the problem…

gadi evron,


Joanna Rutkowska’s blue pill and Vista RC2

joanna just published a blog entry on this issue, and how her poc doesn’t work on the new vista release.

why, etc.

“it quickly turned out that our exploit doesn’t work anymore! the
reason: vista rc2 now blocks write-access to raw disk sectors for user
mode applications, even if they are executed with elevated administrative


(hat tip to elad efrat)