Roy Firestein

Security Feeds

Archive for December, 2009

Russia Plans To Divert Asteroid

December 31st, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
CyberDong writes “Roscosmos, Russia’s Federal Space Agency, will start working on a project to save planet Earth from a possible collision with Asteroid Apophis, which may happen in 2036. NASA specialists believe that the collision is extremely unlikely. Russian specialists will choose the strategy and then invite the world’s leading space agencies to join the project.”

Read more of this story at Slashdot.

Groundspeed v1.0.1 in the wild

December 14th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Groundspeed is an open-source Firefox add-on that allows you to modify the web application interface during a penetration test by manipulating the forms and form elements loaded in the browser page, eliminating annoying limitations and client-side controls.
Some of the practical uses of groundspeed include changing hidden fields, select drop down lists and other fields into text fields, removing size and length limitations on input fields and modifying JavaScript event handlers to bypass (…)

Security Tools


Paper-Thin Batteries To Juice Self-Powered OLEDs

December 14th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

General Electric has teamed with an Israeli battery developer to make thin organic LED panels that require no external power source

Organig LEDs hold large promise for efficient, thin and flexible lighting elements (as well as razor-thin TVs), but low-tech power sources continue to constrain more creative uses of the lights. After all, what good is a shirt of woven LEDs if you need to lug around 10 C batteries to power it? Thankfully, GE is teaming up with the makers of printable, paper-thin battery to create self-powered OLEDs with the battery integrated into the thin light element itself.

The partnership binds GE with Power Paper, an Israeli company who’s ink-based batteries could light OLEDs in nearly any setting. This collaboration will run for a year, and aims to both create the first generation of this technology, and get started on second generation applications.

As you know, the quest for ever-thinner batteries is being pursued by a number of research groups, including the Stanford researchers we covered last week who have devised a way to make batteries out of actual sheets of paper by coating it in nanotube ink.

GE already imagines lighting a tent without the use of a generator, but I’m thinking bigger. Anyone in the mood for a portable, self-powered flat-screen TV you can roll up like a poster?

Cassini Sends First Full Images of Saturn’s Mysterious Giant Hexagon

December 14th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Scientists suspect that the hexagon pattern may represent an unusually controlled jet stream

Saturn’s north pole holds something even more strange than a globe-trotting Santa Claus — a giant hexagon shape within the planet’s atmosphere. Now NASA’s Cassini spacecraft has imaged the whole hexagonal pattern in visible light for the first time.

The hexagon has remained a mystery ever since NASA’s Voyager spacecraft first discovered it in the early 1980s. Cassini has used its spectrometer to observe the hexagon in both visual and infrared light since 2006, but at lower resolution than the newest visible-light images.

Scientists speculate that the six-sided shape represents the path of a jet stream, but still don’t understand what controls the jet stream in such a rigid manner. The latest image mosaics created by Cassini show waves radiating from the hexagon corners, and also reveal a multi-walled structure within each hexagon side.

One of the most unusual features within the new images is a large spot inside the hexagon. The spot could have connections to an earlier large spot located outside the hexagon, which was imaged by Voyager but eventually disappeared in 1991. That’s the year when Saturn entered its long winter polar night, with emphasis on long – a whole Saturn year lasts about 29 Earth years.

Cassini’s latest photo opportunity only came about after Saturn’s August 2009 equinox, which signaled the start of northern spring.


The Windows 7 USB installer tool is back — and open source!

December 14th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

Filed under: , ,

There was a bit of a furore over Microsoft’s ‘Windows 7 Netbook Installation tool’ back in November because they broke the cardinal rule this decade of software development: they used open-source code and didn’t declare it. Even worse, they modified open-source code and locked it up in proprietary, closed-source software. FOR SHAME!

But it’s OK: it was just a mistake, an honest mistake. They didn’t mean to include the open-source code fragments. So they pulled the software from their site and said it would be back in a little while, properly documented, and open-sourced. Well, it’s been a month and it’s finally back! It’s also now hosted on CodePlex, Microsoft’s open-source repository — cool.

If you weren’t aware such a tool existed, it creates bootable USB sticks from .ISO (CD or DVD) images, ideal for installing Windows 7 on a netbook or any other device without an optical drive. If you need more info – perhaps if you want to rejuvenate a tired old netbook for a grandparent this Christmas – we’ve written about installing Windows 7 via USB before.

[via CNetWindows 7 USB Download Tool link]

The Windows 7 USB installer tool is back — and open source! originally appeared on Download Squad on Thu, 10 Dec 2009 08:22:00 EST. Please see our terms for use of feeds.

Read | Permalink | Email this | Comments

Add to digg
Add to
Add to Google
Add to StumbleUpon
Add to Facebook
Add to Reddit
Add to Technorati

MicrosoftOpen sourceWindows 7CodePlexSource code

Google Aims To Push The Speed Of Light With Realtime Results. Seriously.

December 7th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

264808733_e0b981958bToday, at its Search Event in Mountain View, Google Fellow Amit Singhal (who recently participated in our Realtime Crunchup) took the stage to announce a big new feature for the search giant: Realtime.

It’s Google’s relevance technology meeting the realtime web,” is how Singhal described it.

As we’ve learned over the past several months with Twitter Search, relevancy is perhaps the key to making realtime search a pillar of the web. Google seems to believe it has cracked the code for this, and has been internally testing it for a while now. But starting today it’s going live for everyone.

Singhal showed off the new feature by doing a query for “Obama.” The results page shows results coming in in realtime. And yes, it works with Twitter. For example, Google’s Matt Cutts tweeted something from the audience, and in popped in the results immediately. This is the first time any search engine has integrated realtime results into a standard page, Google says. Obviously, this is huge.

Screen shot 2009-12-07 at 11.32.40 AMGoogle will offer realtime trends (it will be interesting to see how these compare to Twitter trends), and Trends is officially leaving Google Labs today. This new realtime search will work on both Android devices and iPhones immediately. Google says there are over a billion realtime documents a day that it will be looking at. This includes tweets, blog posts, and also information from sources like MySpace and yes, even Facebook. Other partners include FriendFeed, Jaiku, and

The importance of relevance has gone through the roof as the amount of information out there is growing. Relevance has become the critical factor,” Singhal noted. He went on to note that a lot goes on behind the scenes to make sure the relevancy remains intact — including Google apparently developing “dozens” of new technologies. Language is a key aspect to this (and on that front, realtime results will be available in English first, but should come to the rest of the web in Q1 2010). Another key is determining if things like tweets were sent automatically or manually by someone.

When this goes live (update, it is live now), you will see a new “Latest” option in the “Show options” sidebar of Google Search. There is also a way to filter results just to status updates from Twitter and the like.

Light can travel around the world in 1/10th of a second, and we won’t rest until the speed of light is the only barrier to getting good search results to you,” Singhal noted. Quite a goal.

Update: Realtime search is now live on some accounts (including ours). Below find a quick video of it in action and some screenshots.

Screen shot 2009-12-07 at 11.31.36 AM

Screen shot 2009-12-07 at 11.33.26 AM


[photo: flickr/fabbio]

Information provided by CrunchBase

Crunch Network: CrunchBoard because it’s time for you to find a new Job2.0

5 Fabulous New Features Google Unveiled Today

December 7th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

Google is holding a major demo event at the Computer History Museum today and unveiled a number of incredible new features. It was the kind of event that restores a person’s faith in Google as a major innovator.

From voice search and translation, to location and visual search, here are the five most impressive technologies unveiled so far.


The demos are all being done by Vic Gundotra, vice president of engineering for Google.


Near Instant Voice Translation

A new prototyped product allows not just search by voice, but near instant translation between English and Spanish in the cloud, via your mobile phone. Gundotrpha spoke a paragraph’s worth of words into his phone and within seconds the phone recited a translated version back in Spanish. It was amazing. Google hopes to have support for all the world’s major languages completed sometime in 2010.

Customized Suggest Based on Location

Google Suggest is a very smart, if under-appreciated, feature. The feature will soon make use of location information when searches are performed on mobile devices. Gundrotrpha demonstrated on one phone that believed it was in Boston and one that believed it was in San Francisco. Upon typing the letters “RE” the Boston phone suggested searches for Red Sox, the local baseball team. The San Francisco phone suggested a search for REI, the outdoor gear outfitter.

Google Product Search Combined With Inventory Feeds from Local Retailers

Local mobile product search will soon tell you where the nearest store with a product is and whether that product is in stock.

Near Me Now

Next: Google Launches Real-Time Search Now on mobile, starting today on Android phones, will offer top-level search categories like restaurants or stores on the front page. Click that button and you’ll see the closest-by search results ranked by user rating.

Google Goggles

Visual search. Take a photo, click a button and Google will analyze imagery and text in the photo for your search query. Pretty exciting.  1 billion images are included in the index today but Google says it has made the decision not to include facial recognition until privacy concerns are figured out.

Stay tuned for the next update… on Google’s new real-time search.

The Real-Time Web and its Future

Attack on Windows BitLocker

December 6th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Fraunhofer SIT has presented a method for manipulating a system to discover the BitLocker drive encryption PIN under Windows. The method even works where TPM is used to protect the boot process

Yahoo, Verizon: Our Spy Capabilities Would ‘Shock’, ‘Confuse’ Consumers

December 4th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

spying0709073Want to know how much phone companies and internet service providers charge to funnel your private communications or records to U.S. law enforcement and spy agencies?

That’s the question muckraker and Indiana University graduate student Christopher Soghoian asked all agencies within the Department of Justice, under a Freedom of Information Act (FOIA) request filed a few months ago. But before the agencies could provide the data, Verizon and Yahoo intervened and filed an objection on grounds that, among other things, they would be ridiculed and publicly shamed were their surveillance price sheets made public.

Yahoo writes in its 12-page objection letter (.pdf), that if its pricing information were disclosed to Soghoian, he would use it “to ’shame’ Yahoo! and other companies — and to ’shock’ their customers.”

“Therefore, release of Yahoo!’s information is reasonably likely to lead to impairment of its reputation for protection of user privacy and security, which is a competitive disadvantage for technology companies,” the company writes.

Verizon took a different stance. It objected to the release (.pdf) of its Law Enforcement Legal Compliance Guide because it might “confuse” customers and lead them to think that records and surveillance capabilities available only to law enforcement would be available to them as well — resulting in a flood of customer calls to the company asking for trap and trace orders.

“Customers may see a listing of records, information or assistance that is available only to law enforcement,” Verizon writes in its letter, “but call in to Verizon and seek those same services. Such calls would stretch limited resources, especially those that are reserved only for law enforcement emergencies.”

Other customers, upon seeing the types of surveillance law enforcement can do, might “become unnecessarily afraid that their lines have been tapped or call Verizon to ask if their lines are tapped (a question we cannot answer).”

Verizon does disclose a little tidbit in its letter, saying that the company receives “tens of thousands” of requests annually for customer records and information from law enforcement agencies.

Soghoian filed his records request to discover how much law enforcement agencies — and thus U.S. taxpayers — are paying for spy documents and surveillance services with the aim of trying to deduce from this how often such requests are being made. Soghoian explained his theory on his blog, Slight Paranoia:

In the summer of 2009, I decided to try and follow the money trail in order to determine how often Internet firms were disclosing their customers’ private information to the government. I theorized that if I could obtain the price lists of each ISP, detailing the price for each kind of service, and invoices paid by the various parts of the Federal government, then I might be able to reverse engineer some approximate statistics. In order to obtain these documents, I filed Freedom of Information Act requests with every part of the Department of Justice that I could think of.

The first DoJ agency to respond to his request was the U.S. Marshals Service (USMS), which indicated that it had price lists available for Cox Communications, Comcast, Yahoo and Verizon. But because the companies voluntarily provided the price lists to the government, the FOIA allows the companies an opportunity to object to the disclosure of their data under various exemptions. Comcast and Cox were fine with the disclosure, Soghoian reported.

He found that Cox Communications charges $2,500 to fulfill a pen register/trap-and-trace order for 60 days, and $2,000 for each additional 60-day-interval. It charges $3,500 for the first 30 days of a wiretap, and $2,500 for each additional 30 days. Thirty days worth of a customer’s call detail records costs $40.

Comcast’s pricing list, which was already leaked to the internet in 2007, indicated that it charges at least $1,000 for the first month of a wiretap, and $750 per month thereafter.

But Verizon and Yahoo took offense at the request.

Yahoo objected on grounds that its pricing constituted “confidential commercial information” and cited Exemption 4 of the Freedom of Information Act and the Trade Secrets Act.

Exemption 4 of the FOIA refers to the disclosure of commercial or financial information that could result in a competitive disadvantage to the company if it were publicly disclosed. The company claims its pricing is derived from labor rates for employees and overhead and, therefore, disclosing the information would provide clues to its operating costs — regardless of whether these same clues are already available in public records, such as those the company files with the Securities and Exchange Commission. The company also claims that since Soghoian is trying to determine the actual amounts the Marshals Service paid Yahoo for responding to requests, the price lists are irrelevant, since “there are no standard prices for these transactions.”

But equally important to Yahoo’s objections was the potential for “criticism” and ridicule. Yahoo quoted Soghoian on his blog writing that his aim was to “use this blog to shame the corporations that continue to do harm to user online privacy.”

Yahoo also objected to the disclosure of its letter objecting to the disclosure of pricing information saying that “release of this letter would likely cause substantial competitive harm” to the company. The company added, in a veiled threat, that if the Marshals Service were to show anyone its letter objecting to the disclosure of pricing information, it could “impair the government’s ability to obtain information necessary for making appropriate decisions with regard to future FOIA requests.”

If anyone out there has a copy of Verizon or Yahoo’s law enforcement pricing list and wants to share it, feel free to use our anonymous tip address.


obama facebook

December 4th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

obama facebook

Twitter misidentifying context

December 4th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

This is an important post for me, not because it’s ground breaking but people don’t seem to get this when using data in certain context. If you are a dev please read this and read it until you understand it because if you misidentify context you fail and you fail pretty badly.

I reported this to twitter about two months ago, they responded and fixed four xss holes but two remain and they didn’t contact me to test the fix.

When you are including user input inside a javascript event within a string what do you have to escape? If you answered: ‘”<>\
You are wrong. Twitter is wrong.

Take the following example:-

<a href=# onclick="x= 'USERINPUT' ">test</a>

So you can place your input within the single quotes and there is a place on twitter that does this:-
twitterTheseResults(’ \&quot;\’xss’,'/search?q=&a…

Here they are escaping &quot; with \&quot; and ‘ with \’. But that isn’t enough! Why? Because it’s a javascript onclick event! Inside an event you have to escape entities! All of them!

Consider the following vector:-

No single quotes but &apos; still acts as one. Please look at this test and make sure you understand how it works:-

Don’t forget other entities work too ' ' &#39 &#x27 so make sure you escape all characters within a js event like so:-

<a href="#" onclick="x='USERINPUT\x27\x22\x3c\x3e'">test</a>

and Twitter PLEASE fix this and related holes c’mon it’s been two months, it’s not rocket science to fix:-
Twitter poc (don’t tweet these results)

&apos; works on non-IE browsers but the other entities mentioned work fine on IE too.

Exploit Released for Adobe Illustrator Zero Day Flaw

December 4th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

security response team is scrambling to deal with the release of
exploit code for what appears to be a critical zero-day flaw in the
Adobe Illustrator CS4 software product.

The vulnerability is caused due to an error in the parsing of
Encapsulated Postscript Files (.eps) and can be exploited to corrupt
memory when a user opens a specially crafted .eps file. Successful
exploitation allows execution of arbitrary code.

Shorten URL: Click to copy to clipboard or post to Twitter

Gay-bashing woman humiliated for wearing hideous skirt

December 4th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

An angry loser (right) came to Syracuse University to make a fool of herself by spreading pathetic hatred and was treated to a happy mutant style stunt by this smiling student, named Chris Pesto (left).

I decided that because this woman thought it was okay to make me feel uncomfortable in my home, I would retaliate and make her feel just as uncomfortable, if not more.

This woman was wearing a ankle-length corduroy skirt, which, as we all know, is a fashion nono. So, in order to make her feel uncomfortable, I stood next to her and held a sign that said Corduroy skirts are a sin! I don’t think I have ever drawn so much attention in my life. SO many people asked to take a picture with me, I got laughs, high fives and there were the few that even cursed off the woman standing behind me.

As I drew interest to what was going on with myself and the woman with the hateful sign, I started to draw a crowd that stood with me in support. Before I knew it I had 100+ people holding signs for gay rights asking people to honk their horns to support. I was interviewed by a news station, and more than 5 student organization papers, and the post standard of syracuse.

I never expected anybody to come stand by me and support and I appreciate it so much that everyone came! It meant so much and it proved to those ignorant people that we aren’t afraid, and we will put up a fight.

I’m proud that Syracuse has such a homosexual friendly community.

Corduroy Skirts are a Sin

Vodka Soon Available in Pill Form

December 4th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

A researcher at a Russian university has developed a powdered form of alcohol that will soon make the consumption of vodka more convenient. From The Times of India:

Russian professor Evgeny Moskalev of Saint Petersburg Technological University has evolved a technique that allows turning alcohol into powder and packing it in pills. The new technique can solidify any kind of alcohol, including whisky, cognac, wine and beer. The new technique can solidify any kind of alcohol, including whisky, cognac, wine and beer.

“Dry” vodka can be wrapped in paper and carried around in a pocket or a bag. Vodka in form of a pill would come handy at parties when “consumers” would be able to calculate their exact required dosage.

Verily, we live in an age of medical wonders.

Link via Geekologie | Image: US Department of State (not the pills in question)

SparkFun’s BlueSmirf found inside a pin pad

December 4th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

SparkFun bluesmirf PIN Scam

That is an officer of the law holding a modified pin pad discovered in Waterloo, Ontario, Canada. You can barely see it in this image but among other mods the pin pad has a BlueSmirf module attached to it. This allows someone sitting within ~100 feet away to capture all of the information transmitted by the pin pad including credit card information and the PIN number. Now SparkFun commented on this issue , and I agree with Nate that all things can be used for good or evil including their products. I don’t believe SparkFun should be blamed in any way for this, it’s the companies that make the pin-pads that should take care more of the security of their devices.

Bad guys will always try to trick the systems but it’s the companies who make credit card processing devices that should be one step ahead of them. I’ve read the comments on SparkFun’s blog and someone who works in a company that makes this devices said that they have all kind of security features that will make the pin pad unusable once someone tried to open it without authorisation. Someone else said they even have an internal battery for monitoring even if the pin-pad is unplugged or has it’s main battery removed so I’m not sure how someone managed to mount the BlueSmirf inside the pin-pad.

Related posts

Canadian Freebies: Microsoft Office 2010 Beta Professional

December 4th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)


Microsoft is offering a free download of the Beta version of Microsoft Office 2010. This is a Beta version so there many be issues with it since it’s still in production stages, but you can try it for free now. Once you download it, it should be valid until late next year.

It comes with a complete package of everything you need including: Word, OneNote, InfoPath, PowerPoint, Access, SharePoint Workspace, Outlook, Publisher, Communicator and Excel.

To get your free copy, click here!

DNAScan Malicious Network Activity Reverse Engineering

December 4th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)


This is a paper split into two episodes, the first two can be read here



In this blog post we will investigate deeply the effective functionalities of DNAScan,
that can be seen as a set of Threads that accomplish different networking functionalities like:

* Server Functionalities
* Client Functionalities
* Malicious File Exchange
* Generic Backdoor

Let’s start from the beginning of network functionalities setup, initially from the main thread is called WSAStartup used to initiate the Winsock DLL, successively is called a classical socket() and immediately after WSAIoctl

read more

Ping pong obfuscation

December 4th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

This is a fun post about a feature I found in IE that allows you to do some crazy obfuscation. I’ll start off with some simple examples:-

<img src=1 language=vbs onerror=msgbox+1>
<img src=1 language=vbscript onerror=msgbox+1>
<img src=1 onerror=vbs:msgbox+1>

So here we’re not obfuscating but I’m showing how IE accepts the language attribute and a labelled vbs statement to change the event to allow vbscript instead of javascript. Ok so lets play a little ping pong:-

execScript("MsgBox 1","vbscript"); //executes vbs from js
execScript('execScript "alert(1)","javascript"',"vbscript");

Look how we can call vbscript from javascript by using execScript and then look how we can execute from javascript to vbscript and then back to javascript again! So now we’re playing some ping pong but how can we make our little game hidden?

<a href=# language="JScript.Encode" onclick="#@~^CAAAAA==C^+.D`8#mgIAAA==^#~@">test</a>

Wait what? Yeah IE supports jscript.encode within the language attribute. Remember jscript.encode? ah the old ones are the best :) That’s it right? Well….

<iframe onload=VBScript.Encode:#@~^CAAAAA==\ko$K6,FoQIAAA==^#~@>

Yeah you can use VBScript.Encode and Javascript.Encode as labels within an event! You might be going WTF right now and I can understand it because I did exactly the same but it would be silly to finish now without finishing our game of ping pong. How many rallies shall I do? I think 3 should be enough….

<body onload="jscript.encode:#@~^TAAAAA==nX+^UmMkwD`r:@$?73hzb)){'Z%QRG=2&#x9;V7WB qdG\:2jbebz)'{7:=@$J~E%km.kaOc+U1W9+J*CRcAAA==^#~@">

Ok so I go to:-
jscript->jscript.encode->jscript.encode->jscript.encode->hex entities

nixCraft FAQ PDF Collection Now Available To All

December 3rd, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

The nixCraft FAQ collection is now available to anyone who wants to browse it off-line in a PDF format. This tar ball contains 1530 Linux, *BSD, UNIX, Perl, Bash and scripting related faqs, mini-howtos, and tutorials compiled and written by nixCraft.

Read more: nixCraft FAQ PDF Collection Now Available To All

Please help us improve nixCraft and take our survey.
Copyright © nixCraft. All Rights Reserved.

Scientists use virus to kill cancer cells while leaving normal cells intact

December 3rd, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
( — A virus that in nature infects only rabbits could become a cancer-fighting tool for humans. Myxoma virus kills cancerous blood-precursor cells in human bone marrow while sparing normal blood stem cells, a multidisciplinary team at the University of Florida College of Medicine has found. The findings are now online and will appear in an upcoming issue of the journal Leukemia.

Cloud Computing Risk Assessment Report

December 3rd, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
I’ve been traveling so there is a bit of a back log of news. In case you missed this, The European Network and Information Security Agency (ENISA), working for the EU Institutions and Member States has released a Cloud Computing Risk Assessment report. ENISA is the EU’s response to Information security issues of the European Union. As such, it is the ‘pacemaker’ for Information Security in Europe.

ENISA supported by a group of subject matter expert comprising representatives from Industries, Academia and Governmental Organizations, has conducted, in the context of the Emerging and Future Risk Framework project, an risks assessment on cloud computing business model and technologies. The result is an in-depth and independent analysis that outlines some of the information security benefits and key security risks of cloud computing. The report provide also a set of practical recommendations.

A few highlights of the report include:

- The Cloud’s economies of scale and flexibility are both a friend and a foe from a security point of view. The massive concentrations of resources and data present a more attractive target to attackers, but cloud-based defences can be more robust, scalable and cost-effective. This paper allows an informed assessment of the security risks and benefits of using cloud computing – providing security guidance for potential and existing users of cloud computing.

- Scale: commoditisation and the drive towards economic efficiency have led to massive concentrations of the hardware resources required to provide services. This encourages economies of scale – for all the kinds of resources required to provide computing services.

- Architecture: optimal resource use demands computing resources that are abstracted from underlying hardware. Unrelated customers who share hardware and software resources rely on logical isolation mechanisms to protect their data. Computing, content storage and processing are massively distributed. Global markets for commodities demand edge distribution networks where content is delivered and received as close to customers as possible. This tendency towards global distribution and redundancy means resources are usually managed in bulk, both physically and logically.

STANDARDISED INTERFACES FOR MANAGED SECURITY SERVICES: large cloud providers can offer a standardised, open interface to managed security services providers. This creates a more open and readily available market for security services.

LOCK-IN: there is currently little on offer in the way of tools, procedures or standard data formats or services interfaces that could guarantee data, application and service portability. This can make it difficult for the customer to migrate from one provider to another or migrate data and services back to an in-house IT environment. This introduces a dependency on a particular CP for service provision, especially if data portability, as the most fundamental aspect, is not enabled..

ISOLATION FAILURE: multi-tenancy and shared resources are defining characteristics of cloud computing. This risk category covers the failure of mechanisms separating storage, memory, routing and even reputation between different tenants (e.g., so-called guest-hopping attacks). However it should be considered that attacks on resource isolation mechanisms (e.g.,. against hypervisors) are still less numerous and much more difficult for an attacker to put in practice compared to attacks on traditional OSs.

MANAGEMENT INTERFACE COMPROMISE: customer management interfaces of a public cloud provider are accessible through the Internet and mediate access to larger sets of resources (than traditional hosting providers) and therefore pose an increased risk, especially when combined with remote access and web browser vulnerabilities.

Read the Complete Report Here >

Reblog this post [with Zemanta]

Announcing The Enomaly Cloud Service Provider Edition | Twitter Me | Get Linkedin | Contact Reuven | Disclosure Policy

Malicious Google AppEngine Used as a CnC

December 3rd, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

Over the weekend our zoo found a malware sample that revealed a malicious Google AppEngine application. The app in question is being used to feed URLs to the zombies for them to download. We got the malware via sample sharing, and its original location and infection information is absent. The malware details are below:

MD5: 2143a7b9a9de6ea26987ed8ece29d2c6
SHA1: 30f6befc76e4e269e5aa9c01c735d55d7ca4099a
File type: application/x-ms-dos-executable
File size: 65024 bytes

It’s a simple HTTP engine and downloader, packed with UPX. The C&C is visible in the unpacked sample:[OMITTED]?hostname=


Where [Omitted] refers to a four letter explicative (this is a family friendly blog, folks!).

This was bound to happen, after all, in an open environment like this where people’s abilities are limited by their intentions. The C&C appears to manage infections on the basis of the computer hostname sent in the request; a unique hostname yields the malcode URL to update:


In this case aa.exe is a PCClient backdoor to the infected PCs. When you come back, at this time you just get the word “cmd”. It’s unclear to be what additional commands the C&C can issue to clients.

A quick analysis of the original malware doesn’t reveal any additional functionality, just the downloader bits. (See below) Google’s been contacted for the AppEngine to be taken down, and the site hosting the second stage malware has been contacted for takedown, as well.

UPDATE Google has confirmed the malicious AppEngine is now down.

UPDATE 2 Actually, looking at the sample reveals that it talks to a host in China using what at first blush appears to be a Grey Pigeon protocol.

UPDATE 3 Found another URL the app used, but i’m not sure what it was used for:

The google cache of the results suggest it reads something like “Today visited 42 times this month, visited 587 times.” It’s unclear if that’s the size of the botnet or what.

Nipper v1.1 released

December 3rd, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Nipper performs security audits of network device configuration files. The report produced by Nipper includes; detailed security-related issues with recommendations, a configuration report and various appendices. Nipper currently supports Cisco IOS, PIX, ASA, FWSM, NMP, CatOS and Juniper NetScreen devices.
Just like with the previous releases too many new features have been added to list them all (over 150 new features with this release), so here are a few of our favourites: (…)

Security Tools


Matriux NEW Security Distro (Next 05 Dec @ Club Hack 2009)

December 3rd, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
The Matriux is a phenomenon that was waiting to happen. It is a fully featured security distribution consisting of a bunch of powerful, open source and free tools that can be used for various purposes including, but not limited to, penetration testing, ethical hacking, system and network administration, cyber forensics investigations, security testing, vulnerability analysis, and much more. It is a distribution designed for security enthusiasts and professionals, although it can be used (…)

Security Tools


Bag Check

December 3rd, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
A laptop battery contains roughly the stored energy of a hand grenade, and if shorted it ... hey!  You can't arrest me if I prove your rules inconsistent!

The Common Vulnerability Reporting Format

December 2nd, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

To date, a major gap exists in vulnerability standardization: there is no standard framework for the creation of vulnerability report documentation. While the computer security collective has done a bang-up job in several other areas, including categorizing and ranking the severity of vulnerabilities in information systems with the widespread adoption of the Common Vulnerabilities and Exposure (CVE) dictionary and the Common Vulnerability Scoring System (CVSS), this lack of standardization is evident in every vulnerability report, best practice document, or security bulletin released by any vendor or coordinator. This blog post explores a nascent standard to close this gap.

Lack of Standard Promotes Chaos

Conventionally, the documentation of vulnerabilities is an ad hoc, producer-specific, and overtly non-standard process. Each vendor compiles, collates, and produces their own version of a vulnerability document that may or may not be similar to comparable reports by other vendors. To see examples of this, consider the 2008 multi-vendor “outpost24 TCP” vulnerability report from major producers such as CiscoMicrosoft, or CERT. Because each producer employs a unique and non-cooperative document structure, users must manually parse individual reports to find information that is germane to their environments. Additionally, the documents are typically flat and do not facilitate nor support any sort of automated processing.

TEDTalks : Gordon Brown on global ethic vs. national interest – Gordon Brown (2009)

December 2nd, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Can the interests of an individual nation be reconciled with humanity’s greater good? Can a patriotic, nationally elected politician really give people in other countries equal consideration? Following his TEDTalk calling for a global ethic, UK Prime Minister Gordon Brown fields questions from TED Curator Chris Anderson.

Abuse Citrix and own the domain

December 2nd, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Little Bobby Tables is growing up quickly, he is now performing a Citrix break-out assessment: basically the scope of the penetration test consists of trying to execute applications that he is not allowed to after logging to a Citrix MetaFrame or similar environment. Usually a screenshot with a command prompt showing the output of ipconfig /all is enough proof to the Client that you have successfully broken out of the restricted environment and the party can roll out onwards. There are many tutorials to achieve this goal and I will not repeat them.

Assume that little Bobby asked for help to old uncle Google, found the above mentioned tutorials along with some videos and successfully broke-out of the environment while circumventing Windows GPO/SRP and other security mechanism getting a command prompt or even an unrestricted RDP session onto the box.
He now feels good, is excited, and wants the Client to know that in about half an hour he broke-out of the environment. Bobby then calls who paid two or more days of assessment to let him know that he is done already with the initial work and asks for permission to go further with the test to demonstrate how dangerous a malicious attacker could be in such a scenario. The Client agrees.. in the end he’s paid for the rest of the man days and wants to make the best usage out of them by finding the flaws within his whole network.

What is next?

Little Bobby knows about the beauties of Windows’ net command and put it to great use. He enumerates machines within the Windows domain, identifies the primary domain controller (PDC), list local and domain users from the PDC/BDC, etc.. all in all gather as much information as possible about the owned system and its network perimeter.

He can also upload his own tools easily by mapping his local shared hard-drive via Citrix XenApp (the new Citrix ICA client for Windows) onto the target Citrix environment, by copy ‘n paste and debug.exe trick, via muudecode/uuencode, or whatever working technique, depending how hardened Citrix is.

First goal now is to escalate privileges to a highly privileged local user like Administrator or LOCAL SYSTEM assuming that the user is not within the Administrators group already. There exist several techniques to do so. Once done it is game over, you own that system completely.

What about logging onto other systems?

Surely little Bobby won’t stop here. He wants to own all the servers within the network perimeter, above all the PDC and other infrastructure critical servers, like database servers.

He dumps user’s password hashes (Security Accounts Manager), LSA secrets, passwords cache, protected storage, reversible encryption storage, passwords history and current logon sessions tokens. PWDumpX and Cain&Abel are handy tools along with the others linked.
Now he has collected credentials of many other users: either plain-text or NTLM credentials for all local users, users who logged onto the box since last reboot, users logged in at the very same time, and users used to start services.
Hopefully among these credentials, little Bobby has got the hash of a domain user. If he gets very lucky, it will be a domain administrator. Again, net is your friend to check so.

Now Bobby resurrect the list of enumerated hosts, tries to discover more hosts on the network perimeter via ping sweep, ARP scan and network traffic sniffing with a bunch of uploaded tools. He now has a huge list of hosts to own. On top of the list there are the domain controllers and eventually the database servers!

At this point he has a list of hosts in one text file and a single file collecting the above dumped hashes (output of PWDumpX et all).

Own the LAN: the common way

Little Bobby could crack the dumped password hashes and try to login over SMB or RDP with the cracked plain-text credentials onto the other systems, one by one. To login and execute commands over SMB onto another system he could upload to the Citrix box and run a single executable file, PsExec.

Another tool can be handy, smbshell, a pre-compiled NASL script, but it requires the nasl interpreter and a bunch of other Nessus libraries to run, not very convenient in the above scenario. Nevertheless, an advantage over PsExec is that it accepts also the NTLM hash of the password, so there is no need to crack the password to login over SMB. Like PsExec, it can be used to login onto one system at a time.

Isn’t there anything quicker to check usefulness of dumped hashes?

Own the LAN: the quickest way

Our lazy little Bobby heard about a new open source multi-threaded tool called keimpx developed in Python that can be used to quickly check for the usefulness of credentials across a network over SMB. Credentials can be:

  • Combination of user / plain-text password.
  • Combination of user / NTLM hash.
  • Combination of user / NTLM logon session token.

If any valid credentials have been identified across the network after its attack phase, the user is asked to choose which host to connect to and which valid credentials to use, then Bobby will be prompted with an interactive SMB shell where he can:

  • Navigate through the available shares: list, upload, download files, create, remove files, etc.
  • Deploy and undeploy his own service (for instance, a backdoor listening on a TCP port for incoming connections).
  • List users’ details and domains.
  • Read/write/delete registry keys (soon).
  • Spawn an interactive command prompt like PsExec can do (soon).

This tool does the trick and is the quickest way to identify in a single shot which dumped hashes work on which machines of the network perimeter without the need to crack the hashes. Moreover, it can also be used to login over SMB onto the systems where valid credentials have been spotted and perform the above mentioned operations.

keimpx is a work in progress tool and feedback is more than welcome

Remember that:

  • Many users share the same password across multiple machines, this might include also Administrator, in such a case you are local administrator on most, if not all, the systems of the network perimeter.
  • You might have been lucky enough to dump also a domain administrator password hash (for instance, via LSA secrets dump, Pass-the-Hash’s whosthere.exe or incognito) so you totally own the domain and can login on all systems of the network with the highest global privileged user.

Little Bobby Tables can now call the Client and let him know that he has access to most (if not all) the network’s machines.

Own the LAN: the hardcore way

If no dumped credentials worked on any other system then Bobby needs to get his hands dirty.

If the Citrix environment has direct access to the Internet he could initiate an out-of-band connection with his own local system to pivot traffic from the local system to the Citrix machine network perimiter. This can be achieved, for instance, via Metasploit‘s Meterpreter. From this point on he can launch any Metasploit module against others boxes to portscan them, perform a vulnerability assessment or exploit security flaws.
Elsewhere, if the Citrix environment has not direct access to the Internet, Bobby can upload a port scanner and his suite of exploits to scan and own them all.

How to vote anonymously under ubiquitous surveillance

December 2nd, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

In 2006, the Chancellor proposed to invade an enemy planet, but his motion was anonymous vetoed. Three years on, he still cannot find out who did it.

This time, the Chancellor is seeking re-election in the Galactic Senate. Some delegates don’t want to vote for him, but worry about his revenge. How to arrange an election such that the voter’s privacy will be best protected?

The environment is extremely adverse. Surveillance is everywhere. Anything you say will be recorded and traceable to you. All communication is essentially public. In addition, you have no one to trust but yourself.

It may seem mind-boggling that this problem is solvable in the first place. With cryptography, anything is possible. In a forthcoming paper to be published by IET Information Security, we (joint work with Peter Ryan and Piotr Zielinski) described a decentralized voting protocol called “Open Vote Network”.

In the Open Vote Network protocol, all communication data is open, and publicly verifiable. The protocol provides the maximum protection of the voter’s privacy; only a full collusion can break the privacy. In addition, the protocol is exceptionally efficient. It compares favorably to past solutions in terms of the round efficiency, computation load and bandwidth usage, and has been close to the best possible in each of these aspects.

With the same security properties, it seems unlikely to have a decentralized voting scheme that is significantly more efficient than ours. However, in cryptography, nothing is ever optimal, so we keep this question open.

A preprint of the paper is available here, and the slides here.

Quick Thoughts on the Point of Sale Security Fail Lawsuit

December 2nd, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

Let the games begin.

It seems that Radiant Systems, a point of sale terminal company, and Computer World, the company that sold and maintained the Radiant system, are in a bit of a pickle. Seven restaurants are suing them for producing insecure systems that led to security breaches, which led to fines for the breached companies, chargebacks, card replacement costs, and investigative costs. These are real costs, people, none of that silly “lost business and reputation” garbage.

The credit card companies forced him to hire a forensic team to investigate the breach, which cost him $19,000. Visa then fined his business $5,000 after the forensic investigators found that the Radiant Aloha system was non-compliant. MasterCard levied a $100,000 fine against his restaurant, but opted to waive the fine, due to the circumstances.

Then the chargebacks started arriving. Bond says the thieves racked up $30,000 on 19 card accounts. He had to pay $20,000 and managed to get the remainder dropped. In total, the breach has cost him about $50,000, and he says his fellow plaintiffs have borne similar costs.

The breaches seemed to result from two failures — one by Radiant (who makes the system), and one by Computer World (who installed and maintained it).

  1. The Radiant system stored magnetic track data in violation of PCI.
  2. Computer World enabled remote access for the system (the control server on premise) using a default username and password.

While I’ve railed against PCI at times, this is an example of how the system can work. By defining a baseline that can be used in civil cases, it really does force the PoS vendors to improve security. This is peripheral to the intent and function of PCI, but beneficial nonetheless. This case also highlights how these issues can affect smaller businesses. If you read the source article, you can feel the anger of the merchants at the system and costs thrust on them by the card companies. Keep in mind, they are already pissed since they have to pay 2-5% on every transaction so you can get your airline miles, fake diamond bracelets, and cheap gift cards.

The quote from the vendor is priceless, and if the accusations in the lawsuit are even close to accurate, totally baseless:

“What we can say is that Radiant takes data security very seriously and that our products are among the most secure in the industry,” Paul Langenbahn, president of Radiant’s hospitality division, told the Atlanta Journal-Constitution. “We believe the allegations against Radiant are without merit, and we intend to vigorously defend ourselves.”

Maybe they can go join a certain ex-governor from Illinois on the next season of The Celebrity Apprentice, since they are reading from the same playbook.

There are a few lessons in this situation:

  • The lines have moved, and PCI now affects civil liability and government regulation.
  • PCI compliance, and Internet-based cardholder security, now affect even small merchants, even those without an Internet presence.
  • We have a growing body of direct loss measurements (time to revise my Data Breach Costs model).
  • We are seeing product liability in action… by the courts, not legislation.
  • As with many other breaches, following the most basic security principles could have prevented these.

I think this last quote sums up the merchant side perfectly:

“Radiant just basically hung us out to dry,” he says. “It’s quite obvious to me that they’re at fault. . . . When you buy a system for $20,000, you feel like you’re getting a state-of-the-art sytem. Then three to four months after I bought the sytem I’m hacked into.”

- Rich
(13) Comments