First this week started with news of three serious vulnerabilities in Google’s services and products - via hacademix.net post GoogHOle (XSS pwning GMail, Picasa and almost 200K customers).

But it appears information was public on Sat 22nd Sep already.

The report says Google security team was contacted before the release process. The exact date is not known, however.

It’s difficult living in the world of security researchers. Every other day you get depressed knowing there is always yet another vulnerability, and if someone wants to, they will get you.

It is also difficult living in the world of security management and corporate security, when they try controlling their risk and lower their over-all vulnerability.

I am somewhere in the middle. Twice cursed.

Large companies are interesting because all the assets are spread amongst different groups, systems, networks, and physical locations.

So.. Combine large companies with large code bases.

What you get is: Worm City (or botnet city if you like). Swiss cheese.

As Vizzini would say: “Inconceivable!” [The Princess Bride (1987)]

This quick post was written quoting parts of a conversation I had with a security researcher friend, known only as “anonymous jaded security something or other”.

Gadi Evron,
ge@linuxbox.org.

Google has introduced the tool recently via its Online Security Blog.

The tool is released under GNU General Public License v2.

The home of the new project is here: code.google.com/p/flayer/

The visitors of WOOT ‘07 conference are aware already.

Let the CVE describe the vulnerability:

JFFS2, as used on One Laptop Per Child (OLPC) build 542 and possibly other Linux systems, when POSIX ACL support is enabled, does not properly store permissions during (1) inode creation or (2) ACL setting, which might allow local users to access restricted files or directories after a remount of a filesystem…

The only references available are:

from Linux MTD mailing list
and
from the ticket system of Laptop.org

It appears that the CVSS score assigned last week is 4.4., i.e. Medium.

OVPC - One Vulnerability Per Child or do we have any others?

Hey, this is post #1000 and there are 925 posts in the archive.

I got the following email from Ameritrade on Friday. If anyone has more details about this story please comment below.

Let me tell you why I am sending you this email. While investigating client reports about the industry-wide issue of investment-related SPAM, we recently discovered and eliminated unauthorized code from our systems. This code allowed certain client information stored in one of our databases, including email addresses, to be retrieved by an external source.

Please be assured that UserIDs and passwords are not included in this database, and we can confirm that your assets remain secure at TD AMERITRADE.

What we want you to know:

• Once we discovered the unauthorized code, we took immediate action to eliminate it. We are confident that we have identified the means by which the information was accessed and have taken appropriate steps to prevent this from reoccurring.
• You continue to be covered by our Asset Protection Guarantee, which protects you and your assets from any unauthorized activity that may occur in your account through no fault of your own. If you lose cash or securities as a result of such activity, we will reimburse you for the cash or shares of securities you lost.

While Social Security Numbers are stored in this particular database, we have no evidence to establish that they were retrieved or used to commit identity theft. To further protect you, we have hired ID Analytics, which specializes in identity risk, to investigate and monitor potential identity theft. ID Analytics provides identity risk services to many of the country’s largest banks and telecommunication companies, as well as government agencies. Following its initial evaluation, ID Analytics found no evidence of identity theft as a result of this data breach. We will retain its services on an ongoing basis to support your TD AMERITRADE accounts and to monitor for evidence of identity theft. We will alert and advise you if any is found. As always, we encourage you to remain alert in guarding your personal information, regularly review your account statements and monitor your credit activity from the major reporting agencies.

For more information on protecting yourself against the possibility of security threats, please visit our online Security Center.

We sincerely apologize to you for this situation and want to assure you that protecting the security and privacy of your assets and information remains a top priority. We have made and will continue to make significant investments in security software, systems and procedures, and we will remain vigilant about protecting you.

We want to answer any questions and address any concerns that you may have about this matter. For more information, including a list of Frequently Asked Questions (FAQs) and an additional message from me, please go to www.amtd.com or contact Client Services. Please note that we are anticipating increased call volume during this period, which may lead to long wait times. We encourage you to review the FAQs and, if you have a question, to log on to your account and send us a secure email. Once again, please be assured that your assets are secure at TD AMERITRADE.

Sincerely,

Joe Moglia
CEO
TD AMERITRADE

Update: Here’s some more information by Ed Falk at CircleID. It seems that Ameritrade either sold the list or someone hacked in and stole it. I’m not sure which option I prefer…

A German company Medion has confirmed that it has shipped laptops containing a MBR virus - public since 1994.

According to Sunbelt the virus is Stoned.Angelina.

Symantec write-up here and F-Secure write-up here (the same name in use).
It appears that the affected model is Notebook Medion MD 96290. Link to the FAQ page of the vendor (German language):
www.medion.de/?service_~u~_support/allgemeine_FAQs.html

Please check the entry ‘Wichtige Produktinformation zum Notebook MD 96290′.

Update: Or the following permalink www.medion.de/popup_md96290.htm

The number of infected laptops and how the master boot record virus can find its way to the brand new machines (without a floppy drive, I believe) is not known.
But this is not the first time.

Exactly two years ago Creative shipped several thousands Zen Neeon MP3 players containing Windows worm Wullik.B.

And back to 1995 (from F-Secure’s Angelina description):

In October 1995 [Stoned.Angelina] was found on new Seagate 5850 (850 MB) IDE hard disks.

Update #2: There is no a floppy drive included.

If someone missed this:

Rogue Nodes Turn Tor Anonymizer Into Eavesdropper’s Paradise reporting about very interesting finding of Swedish IT security consultant Dan Egerstad.

The original blog entry here: Time to reveal…

Tomorrow is Rosh Hashana, the Jewish new year. Ten days after is “Yom Kippur”, a day of fasting (not for me, though. I will be spending Yom Kippur speaking at the CNASI conference in Sao Paulo and the local “Churrascarias” are just too good to miss. God will have to forgive me this time, but I’m sure she understands - there has to be a Churrascaria in heaven.
By the way, if you are in Sao Paulo on Thursday or Friday next week drop me a note and I’ll buy you a caipirinha).

This period between Rosh Hashana and Yom Kippur is when every Jew should summarize the year that ended and think of all the faults that he has done to his fellow men, so that he can fix those or at least ask them for forgiveness. When it comes to providing security to their users, most organizations need to ask for forgiveness. So to help you, even if you not Jewish, here’s a quick check list of bad things you may have done to your users this year.

* Not provide a useful service.
A common fallacy is that security is the opposite of usability. In fact, there’s very little correlation between usability and security and anyone who says otherwise is using security as an excuse to not do something.
The worse offenders are those who prevent you from a certain service in the name of “security”. Lets see: I can buy online anything that I wish using only a credit card (amazon, ebay). I can transfer money to people and have them transfer money to me (paypal). I can buy plane tickets and print my boarding pass (all airlines). I can buy and sell stock. Order food. File my taxes. Consult with my doctor.
Whatever the service you think of providing through a computer, it’s probably not as sensitive as my medical information, not as expensive as a first-class airline ticket, not as financial as a money transfer and not as fresh as a hot pizza. All of these can, and are, done over the Internet every day - so what’s your excuse?

* Not giving your users the best security possible
Here’s a common line: “We’re not a target for hackers, so lets use a fixed password that is hidden in the HTML page inside a HIDDEN form field. What are the real chances of anyone finding out?”. There is no excuse for not using the basic, common, proven security measures. Putting a decent security for just about any system is not an expensive task and just like you lock your door even though you’re not fort knox, you should protect your system with something that is not trivial to break by someone who knows the system design. By the way, sometimes all it requires is a little thinking - some of the most effective security measures are just clever design ideas.

* Not solving other system’s problems.
So you’ve implemented a nifty challenge-response system but your password is stored plaintext in a backup database that sits on an open share. The fact that you are not responsible for the backups does not relieve you from the obligation to ensure the system is secure end-to-end.

* Not thinking “how can I improve my system’s security”.
Maybe you have an excellent security in your system. It might even be tested regularly and comes up with a great score. But what can you do to further secure it? Maybe there’s a new feature in the framework you’re using, or a new plugin/widget/component that can help your users be a little more secure (while not compromising on usability!). I don’t like to use clichés like “security is a process”, so I won’t. But you get the idea.

* Not helping your users protect themselves against your system.
When doing threat analysis designers commonly forget an important part: your users should be able to defend against attacks from your system. It’s the ethical thing to do: what if some day someone hacks into your system? What can they then do?
But it’s also the practical thing to do. If your system is potentially dangerous to users, they won’t use it. Forcing ActiveX usage is an example where many systems fail: some enterprises disable ActiveX in browsers as part of their security policy (some even go the extra mile and disable Internet Explorer completely). These organizations will not be able to use your service. The same goes for dangerous client-side scripts, needing admin privileges to do stuff and replacing vital system files.

The good thing about security is that like with Yom Kippur, you always get a second chance. No matter how many of the above mistakes you’ve made, it’s not too late to fix it. And when you do, most people will forgive you - that’s a sure way to pile up your karma and go to heaven (you can later exchange the karma points for whatever your religion keeps score in).

aviram@beyondsecurity.com

Every once in a while (last time a few months ago) someone emails one of the mailing lists about searching for an example binary, mostly for:

- Reverse engineering for vulnerabilities, as a study tool.
- Testing fuzzers

Some of these exist, but I asked my employer, Beyond Security, to release our test application, specific for testing fuzzing (built for the beSTORM fuzzer). They agreed to release the HTTP version, following their agreement to release our ANI XML specification.

The GUI allows you to choose what port your want to run it on, as well as which vulnerabilities should be “active”.

It is called Simple Web Server or SWS, and has the following vulnerabilities:

1. Off-By-One in Content-Length (Integer overflow/malloc issue)
2. Overflow in User-Agent
3. Overflow in Method
4. Overflow in URI
5. Overflow in Host
6. Overflow in Version
7. Overflow in complete packet
8. Off By One in Receive function (linefeed/carriage return issue)
9. Overflow in Authorization Type
10. Overflow in Base64 decoded
11. Overflow in Username of authorization
12. Overflow in Password of authorization
13. Overflow in Body
14. Cross site scripting

It can be found on Beyond Security’s website, here:
http://www.beyondsecurity.com/sws_overview.html

Gadi Evron,
ge@linuxbox.org.

The IMF (IT-Incident Management & IT-Forensics conference) is going to be boring this year, and I am not saying this because I wasn’t invited (hint ) its because Germany has recently passed a law that forbids:
German citizens to research, discuss or disclouse security problems.

Making it illegal for German citizens to participate in the conference and possibly making the guys organizing this conference act in an illegal manner.

The only ray of light here is the fact that RUS-CERT are the guys behind it, and they might be linked high enough to avoid prosecution - hopefully .

URLs in this post should be considered as unsafe.

Fake sites and SE poisoning are nothing new. The use of blogs for this is far from new, either. Thousands of new fake blogs pop up every day on blogspot, livejournal, etc.

Web spam is a subject I have written about in the past, and some of you may be familiar with it regardless of me (no kidding), especially if you run a blog yourself.

A new fake blog which looks like blogspot, but has its own “domain”, recently popped up in a Google alert on my name.

I get hits on these fake pages all the time as my name is a key word used by some of these spammers to grab attention to their pages.
This time around they really over-did it.

The page has a blogspot layout, and continues with ads to pornographic sites or malware (is there any difference anymore?)

Then the site shows the YouTube video which can be found under my name.
Following that is a post I made to a mailing list recently (poorly formatted).
Then we have a few pictures of girls, linking once more either to pornographic sites or malware drive-by sites (if there is a difference, again).

They finish the page off by adding comments, which are actually some old securiteam posts by me.

Heck, it looks fake, but it is obvious the bad guys are investing more in their fake web pages. Their auto-creation tools seem to be getting more impressive, and I believe we will see much improved believable sites, soon.

Google Blog Search displays this site as (nasty words replaced with beep):

Gadi Evron
2 Sep 2007
Gangbeep facial asian amateurs, bang bus jessica hardcore pictures bang your head, asian virgins.asts. Teen Cherry Action - Nice brunette teen beeped hard on the bed and getting a beepy beepshot. Beep beeping boy beep teen legs, …
Untitled - h ttp://n ewadult.celeberia.com/

URL:
h ttp://n ewadult.celeberia.com/Gadi-Evron

Again, I am unsure if these URLs are safe.

For those of you wondering if these web pages mean anything to the bad guys, the answer is absolutely yes. Search engine ranking, indexing, etc. helps them advance their own sites (or their clients’). Then of course, there is advertising and Google ads.
It works. And the advertising space on unrelated key words is a plus.

The concept is very similar to comment spam. Comment spam may not contribute to SE ranking anymore due to the nofollow tag attached to links in comments, but these get indexed and that’s all the bad guys care about. Nofollow is crap, and what shows up when you search is what matters.

As an example of how these things work, in a recent blog post of mine a buddy left a comment (see here http://gevron.livejournal.com/8859.html for the example).

He left a URL for his legitimate Python/math/music/origami blog in his comment, and now when you search for his blog you find my post placed in the 4th place with the title ‘A Jew in a German Camp’ (about the CCC Camp in Germany). He is not pleased, but it is obvious how the bad guys abuse this, and infect millions of computers just because their owners surf the net.

Gadi Evron,
ge@linuxbox.org.

New information is available related to the rootkit issue of Sony MicroVault USB sticks including fingerprint reader.

One of the stories is this Computer Weekly article which states:

A Sony spokesperson said: “While relatively small numbers of these models were sold, we are taking the matter seriously and conducting an internal investigation. No customers have reported problems related to situation to date.”

And earlier, F-Secure’s Mikko Hyppönen has reported that this issue has a lot of reasons which make it less serious than Sony BMG’s XCP issue was.

Earl, strip #11 of this new comics.

Click on the image for full size.

The Web site of Bank of India is up and working again after the very serious attack last week.

From the pop-up generated by
www.bankofindia.com/home/startpage.asp

SITE HAS BEEN RESTORED AFTER MAKING IT SAFE FOR CUSTOMERS TO VISIT WITHOUT WORRY!!!!!

NOTICE
In reference to our RFP BOI/HO/IT/FIS/1 dated 1.8.2007for providing Financial Inclusion solution the due date for submission of the bid is extended upto 8th September 2007

But after the delay of some seconds the following error message appeared (Safari in use:)

Server Error in ‘/’ Application.
The resource cannot be found
Description: HTTP 404
Requested Url: /home/OpinionPoll/opinionpoll.aspx

On Monday 3rd Sep the format of main page URL was different:
www.bankofindia.com/home/index.asp

generating a 404 today.

Since last Saturday they have shared the following statement without information about Trojan/spyware risks:

This site is under temporary maintenance till further notice.
Kindly bear with us

BTW: Their online banking system Star Connect uses pop-ups as well.

I’m writing this post, as I really feel that this course needs to get more publicity. Over the last few years I have done countless security courses, and exams from some of the top players in this market, and nothing has come close to the OSCP training.

I first signed up for the training in May, as I saw it advertised on the Offensive Security website and thought that it sounded fun. At a first glance, I really wasn’t too sure about the training materials, as you get a Flash based CBT and a PDF, I initially ran thought the CBT side of things in a week, when I actually got around to doing the training, and thought that it needed a bit of work. I think that I wasn’t looking at the training from the right angle, and that’s why I misjudged it, it’s not designed to teach you everything in one sitting, it’s designed to give you enough information to go away and actually spend some time researching the different areas that they cover, and in which case, it’s the best training that I’ve ever taken!

There is no way that a training course could cover everything that they cover without expecting you to go away and do some research yourself, and well to me, doing the research on my own time really paid off, as I feel that I learnt more in the time that I spent either going through the training or researching bits of it, than I have in the last 2 years.

Now on to the actual challenge that you must pass to obtain the certification, this is a live hack of a number of predefined hosts, and you have 24 hours to get through them all. You can pretty much use any publicly available exploits or ever write your own to compromise these hosts, and well let me tell, this has be the most insane 24 hours that I have ever had. It took me 23 hours and 55 minutes, and even then I didn’t manage to fully finish the last question, but I knew that 5 minutes wouldn’t have been enough for me to finish it. throughout the whole 24 hour period, I had 2 hours sleep, and the rest of the time was spent trying to compromise the various hosts. It may not take other people as long as it took me, but “Challenge” is definitely the right choice of words for it. If you don’t know how to exploit systems to a level where you have root/Administrator access then in no way are you ready for the Challenge.

Thankfully I made it through, and if I hadn’t I would have sat it again, but it would have been a while before I did, as it really does take it out of you. From my side though, when I come across another OSCP, I will show them the respect they deserve, as honestly, if you can get through the Challenge, they you should have a pretty good idea about how to conduct a proper penetration test, and no other training that I’ve done has ever been as hands on or in depth.

To anyone thinking about taking the course, do yourself and your employer a favour and sign up for it, you won’t regret it.

New blog has been opened at MSDN Network Blogs section.
The opening post has officially - at last- informed the following fact:

We employ “white hat hackers” who spend their time pentesting and code reviewing applications and software looking for weaknesses and vulnerabilities so that others don’t once we’ve released that code into the wild.

It’s interesting to see if they will share information about BlueHat activities via this blog too.

But the link itself here:
blogs.msdn.com/hackers/