The List Of A 100 Million Facebook Usernames.

By now you’ve probably all heard about the security researcher Ron Bowes, who wrote a script to grab the list of usernames from Facebook’s public directly. You probably also know that the torrent containing all these unique usernames is available as a torrent to download.

You may not know though that at present, on just one torrent site there are currently 4248 people who have downloaded this list, and that there’s a further 8141 currently downloading this list, that’s a hell of a lot of people that are interested in complete strangers personal information and lives.

Let me just set the record straight here as there are quite a few rumors on the Internet at the moment, this was NOT a hack people. The information is publicly available, via Facebook’s directory page. Some say that the users are to blame for not setting their privacy settings securely, others say that Facebook’s convoluted way of implementing user security settings is too complicated for most common users. Me, personally, I’m a member of the latter camp, security settings should be easy for users to apply, not difficult, a simple “Security Yes/No” would be sufficient for most users.

The social engineering possibilities that you could use this list for are just amazing, and you never know when it may come in handy, or is that just me?
Anyway, what’s done is done now.

Oh yeah, I almost forgot, if you want the torrent, well, that can be found right about here, here, or on pretty much any torrent site at the moment, please remember though, if you do download it………..please seed.


REVIEW: “The Myths of Security”, John Viega

BKMTHSEC.RVW   20091221

“The Myths of Security”, John Viega, 2009, 978-0-596-52302-2, U$29.99/C$37.99
%A   John Viega
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2009
%G   978-0-596-52302-2 0-596-52302-5
%I   O’Reilly & Associates, Inc.
%O   U$29.99/C$37.99 800-998-9938 fax: 707-829-0104
%O   Audience i Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   238 p.
%T   “The Myths of Security”

The foreword states that McAfee does a much, much better job of security than other companies.  The preface states that computer security is difficult, that people, particularly computer users, are uninformed about computer security, and that McAfee does a much better job of security than other companies.  The author also notes that it is much more fun to write a book that is simply a collection of your opinions than one which requires work and technical accuracy.

The are forty-eight “chapters” in the book, most only two or three pages long.  As you read through them, you will start to notice that they are not about information security in general, but concentrate very heavily on the antivirus (AV) field.

After an initial point that most technology has a poor user interface, a few more essays list some online dangers.  Viega goes on to note a number of security tools which he does not use, himself.  He then argues unconvincingly that free antivirus software is not a good
thing, unclearly that Google is evil, and incompletely that AV software doesn’t work.  (I’ve been working in the antivirus research field for a lot longer than the author, and I’m certainly very aware that there are problems with all forms of AV: but there are more forms of AV in heaven and earth than are dreamt of in his philosophy.  By the way, John, Fred Cohen listed all the major forms of AV technology more than twenty-*five* years ago.)  The author subsequently jumps from this careless technical assessment to a very deeply technical discussion of the type of hashing or searching algorithms that AV companies should be using.  And thence to semi-technical (but highly opinionated) pieces on how disclosure, or HTTPS, or CAPTCHA, or VPNs have potential problems and therefore should be destroyed.  Eventually all pretence at analysis runs out, and some of the items dwindle down to three or four paragraphs of feelings.

For those with extensive backgrounds in the security field, this work might have value.  Not that you’ll learn anything, but that the biases presented may run counter to your own, and provide a foil to test your own positions.  However, those who are not professionals in the field might be well to avoid it, lest they become mythinformed.

copyright Robert M. Slade, 2009    BKMTHSEC.RVW   20091221


Sophos Free Tool To Detect The Windows Shortcut Exploit (.lnk)

The friendly guys over at Sophos have been kind enough to release a protection tool to protect against the now famous Microsoft LNK 0-day vulnerability. Someone had to do it, it’s a shame it wasn’t Microsoft, but hey.
What this tool does is to replace the current Microsoft icon handler with the Sophos one, so it will check all shortcut (LNK) files before allowing them to run, what’s even nicer is that this tool is free, and you can download it from here.

Please note though that this tool does not protect you from  LNK files or targets stored on the local disk or PIF based exploits.

There’s also a video of the tool in action, which you can find on YouTube here.


Differing takes on privacy

UAE says privacy is a security risk.

US says openness is a security risk.


Social Engineering and Body Language

Social engineering is defined by Wikipedia as “the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques; essentially a fancier, more technical way of lying. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.”

Over the years I’ve done my fair share of social engineering, and the one thing that I have always found to come in handy is being able to read people’s body language. Being able to notice when someone is pacifying themselves, when you ask certain questions, and knowing where to hone in on for example, has helped me countless times in the past. Being able to notice the little things like when people are extremely nervous when you mention things like “Well, I’m not too sure Mr Jones, you manager would be too happy about me not being able to gain access to this room, as he’s paying me to have a look around in your data hall.” When they’re blatantly telling you, that they can’t allow you access under company policy, etc, etc.

I would encourage anyone that performs penetration testing that includes social engineering exercises, to really take the time to read up on body language and how you can make it work for you, it will help your social engineering skills, and this will also help you to help your clients.

There are countless books on this topic that you can get from most decent bookstores to help you along your way, and the good news is that some of these are really not expensive at all.

Another thing that you may want to look into is reading micro expressions, although I would recommend that you start with learning basic body language first, and then progressing on to micro expressions.


Reflections on Trusting Trust goes hardware

A recent Scientific American article does point out that is is getting increasingly difficult to keep our Trusted Computing Base sufficiently small.

For further information on this scenario, see:  [1]

We actually discussed this in the early days of virus research, and sporadically since.  The random aspect (see Dell problems with bad chips) (the stories about malware on the boards is overblown, since the malware was simply stored in unused memory, rather than being in the BIOS or other boot ROM) is definitely a problem, but a deliberate attack is problematic.  The issue lies with hundreds of thousands of hobbyists (as well as some of the hackers) who poke and prod at everything.  True, the chance of discovering the attack is random, but so is the chance of keeping the attack undetected.  It isn’t something that an attacker could rely upon.

Yes, these days there are thousands of components, being manufactured by hundreds of vendors.  However, note various factors that need to be considered.

First of all, somebody has to make it.  Most major chips, like CPUs, are a combined effort.  Nobody would be able to make and manufacture a major chip all by themselves.  And, in these days of tight margins and using every available scrap of chip “real estate,” someone would be bound to notice a section of the chip labeled “this space intentionally left blank.”  The more people who are involved, the more likely someone is going to spill the beans, at the very least about an anomaly on the chip, whether or not they knew what it did.  (Once the word is out that there is an anomaly, the lifespan of that secret is probably about three weeks.)

Secondly, there is the issue of the payload.  What can you make it do?  Remember, we are talking components, here.  This means that, in order to make it do anything, you are generally going to have to rely on whatever else is in the device or system in which your chip has been embedded.  You cannot assume that you will have access to communications, memory, disk space, or pretty much anything else, unless you are on the CPU.  Even if you are on the CPU, you are going to be limited.  Do you know what you are?  Are you a computer? Smartphone?  iPod?  (If the last, you are out of luck, unless you want to try and drive the user slowly insane by refusing to play anything except Barry Manilow.)  If you are a computer, do you know what operating system you are running?  Do you know the format of any disk connected to you?  The more you have to know how to deal with, the more programming has to be built into you, and remember that real estate limitation.  Even if all you are going to do is shut down, you have to have access to communications, and you have to a) be able to watch all the traffic, and b) watch all the traffic, without degrading performance while doing so.  (OK, true, it could just be a timer.  That doesn’t allow the attacker a lot of control.)

Next, you have to get people to use your chips.  That means that your chips have to be as cheap as, or cheaper than, the competition.  And remember, you have to use up chip real estate in order to have your payload on the chip.  That means that, for every 1% of chip space you use up for your programming, you lose 1% of manufacturing capacity.  So you have to have deep pockets to fund this.  Your chip also has to be at least as capable as the competition.  It also has to be as reliable as the competition.  You have to test that the payload you’ve put in place does not adversely affect performance, until you tell it to.  And you have to test it in a variety of situations and applications.  All the while making sure nobody finds out your little secret.

Next, you have to trigger your attack.  The trigger can’t be something that could just happen randomly.  And remember, traffic on the Internet, particularly with people streaming videos out there, can be pretty random.  Also remember that there are hundreds of thousands of kids out there with nothing better to do than try to use their computers, smartphones, music players, radio controlled cars, and blenders in exactly the way they aren’t supposed to.  And several thousand who, as soon as something odd happens, start trying to figure out why.

Bad hardware definitely is a threat.  But the largest part of that threat is simply the fact that cheap manufacturers are taking shortcuts and building unreliable components.  If I was an attacker, I would definitely be able to find easier ways to mess up the infrastructure than by trying to create attack chips.

[1] Get it some night when you can borrow it, for free, from your local library DVD collection.  On an evening when you don’t want to think too much.  Or at all.  WARNING: contains jokes that six year olds, and most guys, find funny.


Safari AutoFill Exploit

So it seems that Safari uses the details from your Address Book to AutoFill forms on web sites, this is enabled by default. In theory this is a great idea, until someone writes some malicious JavaScript to get these details passed to a hidden form without your knowledge. Looking through all the possible available fields in the Apple Address Book app, it really gets quite troubling. Name, Address, Job Title, Department, Anniversary. This could all be used nicely for a really fun Social Engineering exercise, or really help with an identity theft scam.

There is a PoC of this hosted here.

Personally I’d suggest disabling AutoFill in Safari’s preferences, better safe than sorry.


REVIEW: “The Design of Rijndael”, Joan Daemen/Vincent Rijmen

BKDRJNDL.RVW   20091129

“The Design of Rijndael”, Joan Daemen/Vincent Rijmen, 2002, 3-540-42580-2
%A   Joan Daemen
%A   Vincent Rijmen
%C   233 Spring St., New York, NY   10013
%D   2002
%G   3-540-42580-2
%I   Springer-Verlag
%O   212-460-1500 800-777-4643
%O   Audience s- Tech 3 Writing 1 (see revfaq.htm for explanation)
%P   238 p.
%T   “The Design of Rijndael: AES – The Advanced Encryption Standard”

This book, written by the authors of the Rijndael encryption algorithm, (the engine underlying the Advanced Encryption Standard) explains how Rijndael works, discusses some implementation factors, and presents the approach to its design.  Daemen and Rijmen note the linear and differential cryptanalytic attacks to which DES (the Data Encryption Standard) was subject, the design strategy that resulted from their analysis, the possibilities of reduce round attacks, and the details of related ciphers.

Chapter one is a history of the AES assessment and decision process.  It is interesting to note the requirements specified, particularly the fact that AES was intended to protect “sensitive but unclassified” material.  Background in regard to mathematical and block cipher concepts is given in chapter two.  The specifications of Rijndael sub-functions and rounds are detailed in chapter three.  Chapter four notes implementation considerations in small platforms and dedicated hardware.  The design philosophy underlying the work is outlined in chapter five: much of it concentrates on simplicity and symmetry.
Differential and linear cryptanalysis mounted against DES is examined in chapter six.  Chapter seven reviews the use of correlation matrices in cryptanalysis.  If differences between pairs of plaintext can be calculated as they propagate through the boolean functions used for intermediate and resultant ciphertext, then chapter eight shows how this can be used as the basis of differential cryptanalysis.  Using the concepts from these two chapters, chapter nine examines how the wide trail design diffuses cipher operations and data to prevent strong linear correlations or differential propagation.  There is also formal proof of Rijndael’s resistant construction.  Chapter ten looks at a number of cryptanalytic attacks and problems (including the infamous weak and semi-weak keys of DES) and notes the protections provided in the design of Rijndael.  Cryptographic algorithms that made a contribution to, or are descended from, Rijndael are described in chapter eleven.

This book is intended for serious students of cryptographic algorithm design: it is highly demanding text, and requires a background in the formal study of number theory and logic.  Given that, it does provide some fascinating examination of both the advanced cryptanalytic attacks, and the design of algorithms to resist them.

copyright Robert M. Slade, 2009    BKDRJNDL.RVW   20091129


Microsoft LNK exploit added to Metasploit

With all the talk about the Microsoft LNK exploit, it was only a matter of time before the guys over at camp Metasploit added the exploit for this one to the Metasploit Framework.

You can find the details for the module over here.

If you’re one of those types of people that want to have a look at the source code for this one, then you can cast your eyes on that right here.

To get this module into MSF, all you have to do is SVN up.

Have fun ;-)


Microsoft LNK exploit

The recently discovered LNK exploit; using the way Microsoft parses link or shortcut icons for display in order to get something else executed; may be a tempest in a teapot.  It is technically sophisticated, but so far we don’t appear to have seen it used widely.

Probably a good thing.

This exploit could be used in a wide variety of ways.  You can use it in removeable media, so that any time you shove a CD in a drive, or connect a USB stick/thumb drive (or any other USB device, for that matter) to a computer, it results in an infection or some malicious payload.

And remember that OLE stands for object *LINKING* and embedding.  Since it is trivially easy to embed a virus in any Windows OLE format data file, it should be just as easy to create malicious links in any such files.

Microsoft’s own information on the issue seems to indicate that there is a related, but separate, issue with Microsoft Office components, related to Web based activities.  (By the way, when accessing that site, the information about how to protect against the exploit is hidden under the “Workarounds” link, rather than being explicit on the page.)

Some of the potential effects are discussed by Randy Abrams at


Mozilla Raises Bug Bounty To $3000 For Security Bugs

Mozilla seems to have now stepped up to the plate to actually pay security researchers for their time spent uncovering new vulnerabilities in their software. The following is taken from the Mozilla Security Bug Bounty Program web site. “The Mozilla Security Bug Bounty Program is designed to encourage security research in Mozilla software and to reward those who help us create the safest Internet clients in existence. Reporters of valid critical security bugs will receive a $3000 (US) cash reward and a Mozilla T-shirt.”

This is great news and really shows that they’re serious about weeding out the bugs in their software, but the question is, if not for profit organization can afford to pay $3000 for a security bug, then why the hell are places like Microsoft, Apple and Oracle not doing the same? I know that we can go through Tippingpoint’s Zero Day Initiative or iDefense’s ZDI, but still. This really is a great initiative, and will get me spending some late nights trying to find some new bugs.

As security researchers I’m beginning to think that we should all start looking into the companies that pay for bugs with a lot more effort, and they seem to actually care about the security of their products, and I personally have no problem spending a few late nights to try and find a bug in some software if I know that I’m going to get paid for it.

On the other hand, companies such as Microsoft complain when someone releases a 0-day exploit, but you have to wonder if this would have happened had they had the same sort of bug bounty scheme in place. If Microsoft paid security researchers a fair fee for bugs found in their software, then I’m pretty sure the amount of 0-days released by security researchers would drop considerably. It would have to be worthwhile, for example, if Microsoft were to structure their payment on the severity of the exploit, eg, if it was a bug in all versions of IE, then it would gain a much higher payment, than if it was a bug in just Windows Vista, this would have people spending more time trying to find the bugs. After all, what security researcher doesn’t want to be rewarded for his time on a financial level.

Just something for the larger software companies to think about…


The Internet not a meeting of minds

This is depressing, but probably true.  Ethan Zuckerman, at the current TED, notes that the Internet makes us think we being exposed to, and learning from, differing world views, but that, particularly in relation to social networking, we are usually simply seeking out similar views to our own, and reinforcing our existing viewpoints.

You can read a report from the BBC or see the actual talk at TED.

(I like the “imaginary cosmopolitanism” phrase.  It reminds me of being in NYC.)

(If you can’t see the security implication in broadening your outlook, there is no hope for you.)


Caller-ID spoof and voicemail

It’s easy to spoof caller-ID with some VoIP systems.  There are a few Websites that specifically allow it.  It’s a little harder, but geekier, to spoof or overflow caller-ID with a simple Bell 212A modem: it’s transmitted with that tech between the first and second rings of the phone.  (Since most people have caller-ID these days, many telcos don’t play you the first ring.  Since we don’t have caller-ID, we often get accused of answering the phone before it rings.)  (Of course, the rings you hear on the calling side aren’t necessarily the rings heard on the other end, but …)

Apparently AT&T allows immediate access to voicemail on the basis of caller-ID.

Apparently, with Android phones, it’s also gotten even easier to spoof caller-ID.


Metasploit 3.4.1 Released

Sunday 11th July saw the release of the latest version of the Metasploit Framework, and you can tell that the guys have been really busy over in Metasploit development land. Please see the release notes for this version below, and you can download the latest version from here.


  • Metasploit now has 567 exploits and 283 auxiliary modules (up from 551 and 261 in v3.4)
  • Over 40 community reported bugs were fixed and numerous interfaces were improved


  • The Windows installer now ships with a working Postgres connector
  • New session notifications now always print a timestamp regardless of the TimestampOutput setting
  • Addition of the auxiliary/scanner/discovery/udp_probe module, which works through Meterpreter pivoting
  • HTTP client library is now more reliable when dealing with broken/embedded web servers
  • Improvements to the database import code, covering NeXpose, Nessus, Qualys, and Metasploit Express
  • The msfconsole “connect” command can now speak UDP (specify the -u flag)
  • Nearly all exploit modules now have a DisclosureDate field
  • HTTP fingerprinting routines added to some exploit modules
  • The psexec module can now run native x64 payloads on x64 based Windows systems
  • A development style guide has been added in the HACKING file in the SVN root
  • FTP authentication bruteforce modules added


  • Some Meterpreter scripts (notably persistence and getgui) now create a resource file to undo the changes made to the target system.
  • Meterpreter scripts that create logs and download files now save their data in the ~.msf3/logs/scripts folder.
  • New Meterpreter Scripts:
  • enum_firefox – Enumerates Firefox data like history, bookmarks, form history, typed URLs, cookies and downloads databases.
  • arp_scanner – Script for performing ARP scan for a given CIDR.
  • enum_vmware – Enumerates VMware producst and their configuration.
  • enum_powershell – Enumerates powershell version, execution policy, profile and installed modules.
  • enum_putty – Enumerates recent and saved connections.
  • get_filezilla_creds – Enumerates recent and saved connections and extracts saved credentials.
  • enum_logged_on_users – Enumerate past users that logged in to the system and current connected users.
  • get_env – Extracts all user and system environment variables.
  • get_application_lits – Enumerates installed applications and their version.
  • autoroute – Sets a route from within a Meterpreter session without the need to background the sessions.
  • panda_2007_pavsrv53 – Panda 2007 privilege escalation exploit.
  • Support for a dns bypass list added to auxiliary/server/fakedns. It allows the user to specify which domains to resolve externally while returning forged records for everything else. Thanks to Rudy Ruiz for the patch.
  • Railgun – The Meterpreter “RAILGUN” extension by Patrick HVE has merged and is now available for scripts.
  • PHP Meterpreter – A protocol-compatible port of the original Meterpreter payload to PHP. This new payload adds the ability to pivot through webservers regardless of the native operating system
  • Token impersonation now works with “execute -t” to spawn new commands with a stolen token.

Known Issues

  • Interacting with a meterpreter session during a migration will break the session. See #1360.
  • There is no simple way to interrupt a background script started by AutoRunScript
  • Command interaction on Windows causes a PHP Meterpreter session to die. See #2232

Microsoft Retires Windows 2000 Professional and XP Service Pack 2

Yesterday Microsoft officially retired support for Windows 2000 Professional and Windows XP Service Pack 2 (SP2).

So what does this mean to the average user, well your Operating System isn’t just going to stop working, so that’s the good news. The bad news however is that Microsoft will no longer be releasing any security patches for either of these Operating Systems going forward.

So if a vulnerability is discovered in one of these Operating Systems now, then you really are on your own to try and secure it.

Please be aware of this people and make the necessary upgrades as soon as humanly possible.

For more info on Microsoft’s Support Lifecycle for both of these platforms please see the links below.

Windows 2000 Professional

Windows XP Service Pack 2


Microsoft Black Tuesday Summary July 2010

I decided that it would be a good idea to publish summaries of MS’s patch updates on here each month, let me know your thoughts. I know that you can get these from MS directly, but I just figured that if you read SecuriTeam anyway, then here’s some more useful information for you.

My personal opinion on this one is that if there’s one patch you really should apply ASAP, then it should be MS10-042.
So without further ado.

MS10-042 (Critical – Remote Code Execution)

Vulnerability in Help and SupportCenter Could Allow Remote Code Execution (2229593)

This security update resolves a publicly disclosed vulnerability in the Windows Help and Support Center feature that is delivered with supported editions of Windows XP and Windows Server 2003. This vulnerability could allow remote code execution if a user views a specially crafted Web page using a Web browser or clicks a specially crafted link in an e-mail message. The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful, a user must click a link listed within an e-mail message.

MS10-043 (Critical – Remote Code Execution)

Vulnerability in Canonical Display Driver Could Allow Remote Code Execution (2032276)

This security update resolves a publicly disclosed vulnerability in the Canonical Display Driver (cdd.dll). Although it is possible that the vulnerability could allow code execution, successful code execution is unlikely due to memory randomization. In most scenarios, it is much more likely that an attacker who successfully exploited this vulnerability could cause the affected system to stop responding and automatically restart.
MS10-044 (Critical – Remote Code Execution)

Vulnerabilities in Microsoft Office Access ActiveX Controls Could Allow Remote Code Execution (982335)

This security update resolves two privately reported vulnerabilities in Microsoft Office Access ActiveX Controls. The vulnerabilities could allow remote code execution if a user opened a specially crafted Office file or viewed a Web page that instantiated Access ActiveX controls. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS10-045 (Important – Remote Code Execution)

Vulnerability in Microsoft Office Outlook Could Allow Remote Code Execution (978212)

This security update resolves a privately reported vulnerability. The vulnerability could allow remote code execution if a user opened an attachment in a specially crafted e-mail message using an affected version of Microsoft Office Outlook. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Have fun patching all, and please remember to test these patches in a non-production environment before applying directly to production environments guys and girls.