March 2006

Packet Sniffing

Q:

We recently had two sites defaced on our servers, and the perpetrators are claiming to have used TCPDump. Is there a cheap way to encrypt the data packets to ensure they can’t be sniffed? … [snipped]

– Rob

A:

The easiest way to encrypt data between you and the server is to use SSL or SSH. If you are connecting to a web server, enable SSL encryption, if you are connecting to a service that can be protected by SSL, enable it.

If you can’t use SSL encryption in your product, you can use OpenSSH for tunneling of traffic to the destination host, or use OpenVPN (SSL based) to encrypt the connection between you and the destination host.

diStorm – very quick (open source) stream disassembler

diStorm is just another stream disassembler, but… the quickest one I have ever seen and it supports AMD64. The guy (Arkon, Gil Dabah) must have no life as this thing is very good and must have taken quite some time to develop. It is open source.

It’s written in Python and available for Windows, Linux and general *nix. There is also a PE binary parsing library in the package.

Read More

Counters say MSIE 0-day exploit is extremely popular [UPDATED]

The exploit code of well known Microsoft Internet Explorer createTextRange DoS Vulnerability is remarkable popular. This has been proved by a counter located at Milw0rm.com site, visible at its Remote type codes view.

At time of writing the counter lists almost 13 000 visits. The Windows Metafile exploit code has about 9700 readers and it was more than two months ago. The number crossed 10 000 early on Monday. The code appeared to the site late on Thursday. Both of these codes has the same author ‘darkeagle‘.

Microsoft really has several reasons to patch outside of their monthly cycle with more than 200 malicious sites exploiting this flaw.

Before you drop a comment, Google has only seven links to this exploit code page. 😉
Update: 29th March #14:25 UTC this code listing has 14 000 hits.
Update #2: 30th March: newer Metaspolit exploit release has about 2530 hits.
Update 7th April #19:00 UTC: The counter says 18600 now. Metasploit exploit has 8600 hits and Download Shellcoded Exploit released later has 4200 hits.

Code Red: Opera Cannot Handle Insufficent Disk Space and the SecuriTeam vs. Sendmail armed conflict

You gotta love those hilarious security advisories:

Opera > 8.02 with torrent support can’t handle not enough space on drive

If your partition is full and u choose to save a torrent on this
partition opera will start using 100% of your cpu and momery and
eventually crash

Tested with opera 9 p 2

Our feel on this is that if you’re out of disk space, the least of your problems is Opera utilizing 100% of your CPU!

By the way, while we’re on the subject of making a fool of yourself, we did our share of the ‘sky is falling’ bit, too. But we’re professionals (well, we’ve had practice) so at least we did it with some style: We followed up with Ido’s non-existing Sendmail memory leak which got Eric Allman all worked out and ended it with a pointy cartoon. Yeah! finally a good fight. Hope it’ll last a least a mounth.

A final word to Ido: you’re new in the industry, aren’t you? Here, we don’t apologize for mistakes. We bury them in flamewars!

Product Evaluation: 10 things you need to know when testing the bleeding edge of the information security

HexView has wrote up a short article on the process of doing product evaluations:

This article is intended to fill the gaps often overlooked by people when architecting security infrastructures. The list below is squeezed out of our experience in testing technology products.

Even though the article is not very long, it does stress out the 10 most important things, as well as the most common pitfalls.

The tip like the most is: Question every claim they make, and as simply as that, if a vendor claims his product uses 256 bytes for encryption, don’t believe it, verify it, most vendors will exaggerate, not because their technical guys are stupid, but rather because their sales force, and marketing team multiple everything by 2/5/10/20/etc :)