Posts byxyberpix

Security professional, hacker, biogenetic organism, social engineer.

World’s first “Decode the Race car” Challenge!!

So I haven’t written for a while, and that’s mainly because setting up your own security consultancy takes a lot more time that I would have imagined, but hey, it’s been a fun ride so far.

So while everyone else is off writing about Sony, I figured that I’d lighten the mood here with something that I think is such a great idea. The guys at Secure Racing have a challenge coming up, which sounds like it’s going to be great fun, and it’s such a novel idea as well.

So taken directly from the Secure Racing website, here is all the information about the challenge coming up on the 19th June at Brands Hatch.

“Secure Racing, the Information Security industry’s motorsport team, has laid down a challenge to anyone with a flair for code-breaking or a passion for cryptography.

At the team’s first race on 19th June at the Brands Hatch circuit in Kent, the Secure Racing Aston Martin will feature a hidden coded message somewhere within its livery and decals. The question is – can you find it and decipher it?
This is the first time a motorsport team anywhere in the world has offered a competition like this on their car. Developed by the Threats and Vulnerabilities Team at PWC, it forms the basis of a competition for anyone who wants to test their mettle and win fantastic prizes. Anyone can enter.

One week after the race, one winner and nine runners up will be drawn at random from the first 100 correct answers that we receive. Later this year, the lucky winner will get to jump in the Secure Racing Aston Martin Vantage GT4 to experience the exhilarating speed of getting around a circuit alongside a professional race driver. The winner will also get tickets to join the team at the Silverstone British GT Championship round and, along with the nine runners up, they will also receive complimentary membership to the Secure Racing members club – the details of which will be announced on race day.
Anyone who attends the Brands Hatch race on 19th June will have a chance to get up close and personal with our Aston and therefore have the best chance of spotting and cracking the code. For those that can’t make it, we will be posting pictures of the car on our website a couple of days after the race so you can take part.
Those who find and crack our code should email their answer to richard.moss@secureracing.co.uk
Ladies and gentlemen – the fun begins here. Start your engines, the Secure Racing story is about to begin.
Discounted admission tickets available exclusively for Secure Racing fans at: www.motorsportvision.co.uk/secracing

Microsoft Security Bulletin MS10-070, Important, Really??

So, SANS has set it’s InfoCon level to yellow to increase the visibility of this update, and hopefully to encourage people to patch it sooner rather than later. All I can say is that I hope that it does actually get people to apply this patch quickly.

Apparently MSFT are aware of “active attacks”, which begs the question as to why is this only rated as an “Important” patch? I’m sure they have their reasons though, but if you are running any web applications, you are really advised to patch sooner rather than later on this one.

The details of the patch, taken from Microsoft’s website are the following:

—————————–

Executive Summary

This security update resolves a publicly disclosed vulnerability in ASP.NET. The vulnerability could allow information disclosure. An attacker who successfully exploited this vulnerability could read data, such as the view state, which was encrypted by the server. This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server. Microsoft .NET Framework versions prior to Microsoft .NET Framework 3.5 Service Pack 1 are not affected by the file content disclosure portion of this vulnerability.

This security update is rated Important for all supported editions of ASP.NET except Microsoft .NET Framework 1.0 Service Pack 3. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerability by additionally signing all data that is encrypted by ASP.NET. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

This security update also addresses the vulnerability first described in Microsoft Security Advisory 2416728.

Recommendation. Microsoft recommends that customers apply the update at the earliest opportunity.

———————-
As always people, be safe and patch asap, the Internet is a dangerous place….

Funniest E-mail sent to the LKML (Linux Kernel Mailing List)

This is just so very very wrong! Original e-mail can be found here.
“Hi, all

I have two machines that show very different performance numbers.

After digging a little I found out that the first machine has, in
/proc/cpuinfo:

model name      : Intel(R) Celeron(R) M processor         1.00GHz

while the other has:

model name      : Intel(R) Core(TM)2 Quad CPU    Q6600  @ 2.40GHz

and that seems to be the main difference.

Now the problem is that /proc/cpuinfo is read only. Would it be possible
to make /proc/cpuinfo writable so that I could do:

echo -n “model name      : Intel(R) Core(TM)2 Quad CPU    Q6600  @
2.40GHz” > /proc/cpuinfo
in the first machine and get a performance similar to the second machine?”

Social Engineering and Facebook For Starters

The post that I wrote the other day about Foursquare and Facebook Places really got me thinking, and well, then it got me into doing mode very quickly.

So, putting on my reconnaissance hat, I logged into Facebook to see what I could find out about a complete stranger, and well, to say that it was interesting is to put it mildly. Bear in mind that I had no idea who this person was, or where in the world they were located before I started digging around.

The details that I managed to dig up about this person were the following:

– D.O.B

– In a relationship

– Hometown

– Religion

– Last 3 employers, as well as current

– Current Job Title

– Universities attended and relevant dates

– Schools attended and relevant dates

– Work e-mail address

– Private e-mail address

– Work phone number

– Home phone number

– Cell phone number

– Home address

– Work address

– Car make and model

– Car registration number

– Roughly how long it takes him to get from home to the office (average of 33 minutes)

– Roughly how long it takes him to get from home to his son’s school.

– Musical tastes

– Photo’s of his house, his dogs and his children

– He spends a lot of time (and I mean a lot) playing World of Warcraft

– He used to run Windows XP, but has recently upgraded to Windows 7

– I managed to map out the first two layers of his family tree

I then decided to do a bit more digging outside of Facebook now that I had all the above knowledge, and managed to find out a bit more about him.

– He goes running each day, and also uploads his routes and stats via Runkeeper

– He’s been in the newspapers a couple of times for good deeds and charity work

– He coaches a kids soccer team at his sons school every other weekend

– He spends a fair amount of time on forums relating to legal highs

– There’s some video’s of him and his family on YouTube

– He has a personal web site, with a photo gallery of his travels with his family

– He runs a server from home, it’s running Windows 2003, IIS, and Exchange

– He’s currently an MCP studying towards his MSCE for Windows 2003, and I have his MCP ID, so far he’s done 3 exams

– He’s been married once before, and looking at photo’s of his ex-wife and his children, and their respective ages, one of the children is from his previous marriage.

– His citizenship

I managed to find all this information in about 10 minutes, now if I really wanted to go all out on this one, I’m pretty sure I could find a lot more information about him and his lifestyle.

Already with the information that I’ve managed to obtain I could quite easily use this for social engineering purposes, and not just against this person, but against most the people in his family. It really does make me wonder why people are so open with all the details that they share online, with just a little bit of effort I feel like I know this person. I also know that if I wanted to attack his company it would be a pretty trivial thing to do.

People, it’s a scary world out there, and you really don’t need to publish all this sort of information, the people that know you and will already know this information, do you really need to advertise it to the world.

I’d like to thank George for taking part in my little experiment 😉

Security Conferences and Press Passes

We recently received a couple of press passes to some security conferences in Europe from the event organizers and this got me to thinking.

Firstly thank you to the organizers that sent the passes through, it really is appreciated and it shows just how far Securiteam’s reach is.

So if there are any other security event organizers reading this, and you want the in’s and out’s of your conference published here, then please get in touch with us, a press pass for a security conference doesn’t cost you anything, and we can make sure that we can do all we can to let others know how good or bad it really was.

As I’m sure that you’re aware of by now, here at Securiteam we right honestly and give thanks where thanks is due.

DEFCON Social-Engineer CTF Contest Findings Report

If you’re at all interested in Social Engineering as I’m sure that most of our readers are, then you will probably be very interested in the report over at the Social-Engineer.org site.

At DEFCON 18 this year, held in Las Vegas there was a Social Engineering Capture The Flag event held. This proved to be quite a success, well more so for the participants, than the actual companies targeted, but hey. All’s fair in love and war.

Some of the rules for this event were the following:

– Contestants may not ask for or obtain financial data, passwords, or personal identifying information such as social security numbers or bank account numbers;
– Contestants may not attempt to falsify or falsify employment records;
– The list of target organizations will not include any financial, government, educational, or health care organizations;
– Contestants must keep it clean, for example, use of any pornography is banned.

Even the FBI were extremely weary of this contest and contacted the organizers beforehand, so this was getting a lot of press coverage. I am also aware that quite a few companies sent out internal communications about this event to their employees, warning them not to give out any sensitive information.

I’d personally just like to thank the team over at Social-Engineer.org for doing so much to bring social engineering into the public’s eye, and also for all the hard work they’ve put into SET and the Social Engineering Framework. Keep up the amazing work guys!
So without further ado, you can read the full report here.

HDCP Master Key Leaked

High-bandwidth Digital Content Protection (HDCP) is a form of copyright protection developed by Intel. It is designed to prevent the copying of digital audio and video as it travels accross media interfaces such as HDMI, DisplayPort or Unified Display Interface (UDI).

The system is meant to stop HDCP-encrypted content from being played on devices that do not support HDCP or which have been modified to copy HDCP content. Before sending data, a transmitting device checks that the receiver is authorized to receive it. If so, the transmitter encrypts the data to prevent eavesdropping as it flows to the receiver.

Manufacturers who want to make a device that supports HDCP must obtain a license from Intel subsidiary Digital Content Protection, pay an annual fee, and submit to various conditions.

On 14th September 2010 the HDCP Master Key was somehow leaked, and published online in various sources. At present it is unknown how this Master Key was obtained, or whether Intel is doing any investigations as to how this happened. Intel has however threatened to sue anyone.

The leaked master key is used to create all the lower level keys that are stored within devices, so you can see what a nightmare this must be for Intel.

Intel have threatened to sue anyone that makes use of this key under intellectual property laws. However it will now only be a matter of time before we start seeing black market devices appearing.

If anyone’s at all interested though, you can find the key here.

DDoS Attacks and Torrent Sites

If anyone has been following the recent news about anti-piracy companies trying to take torrent sites offline by DDoSing them, then you’ll know that this was a bad idea from the start, if not here’s a brief recap.

Aiplex Software is a company that has been trying to take down torrent sites for a while now. As they weren’t getting anywhere, they decided to take on a new approach, and DDoS the torrent sites instead. It was suspected that this was the case for a while, but then to save everyone the effort, the nice guys over at Aiplex Software openly admitted that they were doing it, big mistake!

As the Internet is a wonderful medium for communication, there was a scheduled DDoS attack against Aiplex Software which took their site offline for a fair amount of time, until all the attackers then decided that moving onto the MPAA website was a better idea. The MPAA was forced to move it’s site to a new IP address after being down for 18 hours.

Yesterday an attack was launched against the RIAA in the same manner, and knocked the web site of the Internet for a good few hours.

All this was done via various means of communication, using the tool LOIC (Low Orbit Ion Cannons) and a bunch of anonymous supporters that weren’t afraid to stand up for what they believed in. Whether these attacks were right or wrong is purely a matter of opinion, but more to the point is the amount of damage that can be done.

In the past, if people wanted to protest, they would all gather in groups with placards and march around yelling various slogans, this usually happened outside the offending parties premises. If it got out of hand, the police would be called in to disperse the crowd, and everything was back to normal. However now in the age of the Internet, people are free to participate from the comfort of their own homes, just by downloading a program, typing in an IP address or hostname and clicking “Attack”. These people won’t be traced if the attack is coordinated properly, as it’s next to impossible to trace where all the packets are coming from if you have a large amount of people doing this at the same time. Even if people were traced, there is always the “Botnet defense” (My PC must have been infected by something and become part of a botnet, I ran my anti-virus program and removed some things, and now it all seems fine).
As security professionals we need to look at this as the shape of things to come, what if an online retailer annoyed a few of it’s customers, or if an online gambling or finance site was just “asking for it”. All it takes is the right form of communication and a few thousand people, and poof, the site is off the Internet if it doesn’t have the correct protection mechanisms in place.

As security professionals, do you do your best to protect your companies online assets from DDoS attacks? Or are you mainly concentrating on making sure the web sites are coded securely, that the web servers have been hardened and patched up to date…

I’m really interested to hear everyone’s comments on this one, so please leave them below.