Roy Firestein

Scientists grow solar cell components in tobacco plants

January 31st, 2010. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
(PhysOrg.com) — Over billions of years, plants have evolved very efficient sunlight-collecting systems. Now, scientists are trying to harness the finely tuned systems in tobacco plants in order to use them as the building blocks of solar cells. Scientists predict that the technique could lead to the production of inexpensive, biodegradable solar cells.

NIF Moves 5.9 Million Degrees Closer To Fusion Power

January 29th, 2010. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

Parallel Algorithm Leads To Crypto Breakthrough

January 29th, 2010. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Hugh Pickens writes “Dr. Dobbs reports that a cracking algorithm using brute force methods can analyze the entire DES 56-bit keyspace with a throughput of over 280 billion keys per second, the highest-known benchmark speeds for 56-bit DES decryption and can accomplish a key recovery that would take years to perform on a PC, even with GPU acceleration, in less than three days using a single, hardware-accelerated server with a cluster of 176 FPGAs. The massively parallel algorithm iteratively decrypts fixed-size blocks of data to find keys that decrypt into ASCII numbers. Candidate keys that are found in this way can then be more thoroughly tested to determine which candidate key is correct.”

Read more of this story at Slashdot.

DAVID THORNE KILLS IT AGAIN – THE BLOCKBUSTER SAGA..

January 28th, 2010. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

If you don’t know who David Thorne is, I’ll remind you – he is the genius that gave you the “spider drawing” email mayhem. Then there was the “Party in Apartment 3” escapade and the “design me a logo” piece of genius.

But he didn’t stop there – our boy decided to give the people at BlockBuster Video a nervous breakdown as well.

Sit back and enjoy this..

It all started when they (BlockBuster) sent him a “your video is overdue” letter:

Enter, David Thorne:

From: David Thorne
Date: Sunday 8 November 2009 2.16pm
To: Megan Roberts
Subject: DVDs

Dear Megan,

Thank you for your letter regarding overdue fees. As all four movies were outstanding examples of modern cinematic masterpieces, your assumption that I would wish to retain them in my possession is understandable, but incorrect. Please check your records as these movies were returned, on time, over three weeks ago. I remember specifically driving there and having my offspring run them in due to the fact that I was wearing shorts and did not want the girl behind the counter to see my white hairy legs.

Regards, David.

From: Megan Roberts
Date: Monday 9 November 2009 11.09am
To: David Thorne
Subject: Re: DVDs

Hi David

Our computer system indicates otherwise. Please recheck and get back to me.

Kind regards,
Megan

From: David Thorne
Date: Monday 9 November 2009 11.36am
To: Megan Roberts
Subject: Re: Re: DVDs

Dear Megan,

Yes, they are definitely white and hairy. Viewed from the knees down, the similarity to two large albino caterpillars in parallel formation is frightening. People who knew what the word meant might describe them as ‘piliferous’, although there is something quite sexy about that word so perhaps they wouldn’t.

Regards, David.

From: Megan Roberts
Date: Monday 9 November 2009 1.44pm
To: David Thorne
Subject: Re: Re: Re: DVDs

Hi David

No I mean our records indicate that the DVDs have not been returned. Please check and return as soon as possible.

Kind regards,
Megan

From: David Thorne
Date: Monday 9 November 2009 4.19pm
To: Megan Roberts
Subject: Re: Re: Re: Re: DVDs

Dear Megan,

With the possible exception of Harold and Kumar Escape from Guantanamo Bay, the movies were not worth watching let alone stealing. In Logan’s Run, for example, the computer crashed at the end when presented with conflicting facts and blew up destroying the entire city. When my computer crashes I carry on a little bit and have a cigarette while it is rebooting. I don’t have to search through rubble for my loved ones. The same programmers probably designed the Blockbuster ‘returned or not’ database. Also, while one would assume the title Journey to the Centre of the Earth to be a metaphor, the movie was actually set in the centre of the earth which, being a solid core of iron with temperatures exceeding 4300˚ Celcius and pressures of 3900 tons per square centimetre, does not seem very likely. Waterworld was actually pretty good though. My favourite bit was when they were on the water but the scene when Kevin Costner negotiated for peace, ending the war between fish and mankind moments before the whale army attacked was also very good.

Regards, David.

From: Megan Roberts
Date: Tuesday 10 November 2009 3.57pm
To: David Thorne
Subject: Re: Re: Re: Re: Re: DVDs

David

The DVDs are listed as not returned. If you cant locate the DVDs, you will be charged for the replacement cost.

Megan

From: David Thorne
Date: Tuesday 10 November 2009 5.12pm
To: Megan Roberts
Subject: Re: Re: Re: Re: Re: Re: DVDs

Dear Megan,

I have checked pricing at the DVD Warehouse and the cost of replacing your lost movies with new ones is as follows:

Harold and Kumar Escape from Guantanamo Bay $7.95
Waterworld $4.95
Journey to the Centre of the Earth $9.95
Logan’s Run $12.95

I have no idea why Logan’s Run is the most expensive of the four movies as it was definitely the worst. Have you seen it? I wouldn’t pay $12.95 for that. I would use the money to buy a good movie instead. Probably something with Steven Seagal in it. The entire premise comprised of living a utopian and carefree lifestyle with only three drawbacks – wearing seventies jumpsuits, living in what looks like a giant shopping centre and not being allowed to live past thirty. This would seem logical though as I would not want a bunch of old people hanging around complaining about their arthritis while I am trying to relax at the shopping centre in my jumpsuit trying not to think about the computer crashing.

I was recently forced to do volunteer work at an aged care hospital. Footage of these people during Tuesday night line dancing could be used as an advertisement for the Logan’s Run solution. The only good aspect of working there was that I halved their medication, pocketing and selling the remainder, explaining the computer listed that as their dose and they were welcome to check knowing their abject fear of anything produced after the eighteenth century would prevent them from doing so. I also swapped my Sanyo fourteen inch portable television for their Panasonic wide screen plasma while they were sleeping, explaining that it had always been that way and their senility was simply playing up due to the reduced dosage of drugs.

Regards, David.

From: Megan Roberts
Date: Wednesday 11 November 2009 1.21pm
To: David Thorne
Subject: Re: Re: Re: Re: Re: Re: Re: DVDs

Hi David

I have not seen those movies so I dont know what you are talking about. I prefer romantic comedies. If you have the movies we can’t rent them so we lose money and the fees are based on what we we would have made from renting them and we also have to purchase movies through our suppliers not from DVD Warehouse.

Megan

From: David Thorne
Date: Wednesday 11 November 2009 3.28pm
To: Megan Roberts
Subject: Re: Re: Re: Re: Re: Re: Re: Re: DVDs

Dear Megan,

I myself am also a huge fan of romantic comedies. Perhaps we could watch one together. I have a new Panasonic wide screen plasma. My favourite romantic comedy is Fatal Instinct although it did not contain enough robots or explosions in my opinion and I was therefore unable to truly identify with the main characters on a personal and emotional level. Recently, I was tricked into watching The Notebook which was about geese. Lots of geese. It also had something to do with an old lady who conveniently lost her memory so she could not remember being a whore throughout the entire film. I don’t recall a lot of it as I was too busy being cross about watching it. In a utopian future society she would have been hunted down and killed at thirty.

In regards to the late fees, I understand the amount is based on what you lose by not being able to rent the movies out. You probably had people lined up around the block waiting to rent Logan’s Run. For eighty two dollars though, I could have purchased six copies of it from DVD Warehouse or, as I have heard he is a bit strapped for cash, had Kevin Costner visit my house in person and re-enact key scenes from Waterworld in my bathroom.

Regards, David.

From: Megan Roberts
Date: Thursday 12 November 2009 3.16pm
To: David Thorne
Subject: Re: Re: Re: Re: Re: Re: Re: Re: Re: DVDs

Hi David.
Restocking fees are:

002190382 Journey to the Centre of the Earth $9.30
003103119 Logans Run $7.90
008629103 Harold and Kumar Escape from Guantanamo Bay $6.30
000721082 Waterworld $5.70

Total: $29.20 – I have deleted your late fees and noted on the computer that the amount owed is for the replacement movies not fees.

Kind regards,
Megan

From: David Thorne
Date: Thursday 12 November 2009 7.42pm
To: Megan Roberts
Subject: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: DVDs

Dear Megan,

Those prices seem reasonable. I do not want Logan’s Run but will pick up the other three when I come in next.

Regards, David.

From: Megan Roberts
Date: Friday 13 November 2009 12.51pm
To: David Thorne
Subject: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: DVDs

What? The $29.20 is the cost of the replacement DVDs for the store.

Megan

From: David Thorne
Date: Friday 13 November 2009 1.15pm
To: Megan Roberts
Subject: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: DVDs

Dear Megan,

That makes more sense, I was wondering what I was going to do with two copies of each movie.

Regards, David.

From: Megan Roberts
Date: Friday 13 November 2009 2.33pm
To: David Thorne
Subject: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: DVDs

What do you mean by two copies? Are you saying you found the four movies?

Megan

From: David Thorne
Date: Friday 13 November 2009 2.57pm
To: Megan Roberts
Subject: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: DVDs

Dear Megan,

Yes, they were on top of my fridge the whole time. Unfortunately I have a blind spot that prevents me from seeing this area of the kitchen as it is also where I keep my pile of unpaid bills. Last night I slept on the kitchen floor with the fridge door open due to my air conditioner being broken and the temperature outside exceeding that of the centre of the earth. As my fridge emits a high pitched ‘beep’ every thirty seconds when left open, the vibrations from this caused the DVDs to wriggle forward over the space of many hours before toppling from the edge and I awoke to find them beside me on the pillow. As you have already waived the late fees, I will drop them off tonight and we will call it even.

Regards, David.

From: Megan Roberts
Date: Friday 13 November 2009 3.43pm
To: David Thorne
Subject: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: DVDs

Ok.

[thanks misha]

Look Beyond the Exploit

January 28th, 2010. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
The post One Exploit Should Not Ruin Your Day by Dino Dai Zovi made me think:

Finally, the larger problem is that it only took one exploit to compromise these organizations. One exploit should never ruin you day. [sic]

No, that is wrong. The larger problem is not that it “only took one exploit to compromise these organizations.” I see this mindset in many shops who aren’t defending enterprises on a daily basis. This point of view incorrectly focuses on exploitation as a point-in-time, “skirmish” event, disconnected from the larger battle or the ultimate campaign.

The real “larger problem” is that the exploit is only part of a campaign, where the intruder never gives up. In other words, comprehensive threat removal is the problem. There is no “cleaning,” or “disinfecting,” or “recovery” at the battle or campaign level. You might restore individual assets to a semi-trustworthy state, but the advanced persistent threat only cares that they can maintain long-term access to the environment.

If the problem were simply defending against a compromised asset, we would not still be talking about this issue. Rather, the problem is that it is exceptionally difficult, if not impossible, to remove this threat. Individual exploits add to the problem but they are only skirmishes.

Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Links

January 28th, 2010. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Tools
David Kovar has written a tool, in Python, to parse the NTFS $MFT, called analyzeMFT. The tool can be downloaded from this site. I’ve been using Mark Menz’s MFTRipper to parse this data, and having other tools to do this sort of thing available can only be a good thing.

MS article on NTFS $MFT
Lance’s article on Detecting Timestamp Changing Utilities

Windows 7 XP Mode
One of the interesting aspects of Windows 7, from both a usability and a digital forensics point of view is the addition of XP Mode. In short, if you have a system whose processor supports hardware virtualization (be sure to check that out!!), you can install a Windows XP SP3 virtual machine into VPC on Windows 7, and run tools that may not run (or run quite as well) on Windows 7. This sort of thing could be very useful from an analyst’s perspective…with just one platform, you can run tools that don’t rely on the Windows API to parse some data sources, and at the same time, you can run other tools that do require the Windows API, and even a specific version.

So, while this can be very useful, there’s the question of virtualization and how it affects what the analyst needs to look for when examining a system. Diane Barrett has discussed artifacts left when someone uses Moka5 or MojoPak in presentations, and we’re all aware of other virtualization tools and platforms out there…but with XP Mode, it’s built into the OS shell.

The key to all this, from a digital forensics perspective, is going to be in determining where the artifacts of interest exist.

XP Mode Resources
Tony Bradley’s article
LifeHacker article

AV, Symantec and the Google Thang
Symantec posted something on the Trojan.Hydraq Incident, indicating that it is associated with the Google issue that popped up recently.

Something I find concerning about their write-up is the description of the artifacts. They mention that the Trojan is a DLL and installs as a Windows service with the name “RaS[4 random characters]“. Well, that’s easy enough to search for across the enterprise…look for any service name that starts with “RaS”. The problem is, this isn’t the whole story. If the executable file is a DLL, that would indicate that it installs “under” something else, like SvcHost. This would mean that there are other artifacts; specifically, if someone finds a service with the specified name, then they should look at the Parameters subkey for the ServiceDll value…what happens if the name of the file changes from what’s listed in the write-up? How about checking the SvcHost key in the Software hive?

Symantec isn’t the only one who doesn’t provide a great deal of useful information to folks, either. The MMPC has a write-up on rootkits, and mentions Trojan:W32/AproposMedia…here’s their write-up on that one. Googling, I find that EmsiSoft, makers of the a-squared AV product, have something a bit more substantial.

SafeBoot
Didier Stevens has posted about restoring SafeMode with a .reg file, adding a bit more to his info about a virus that deletes the SafeBoot key, tricks to restore SafeBoot, and protecting the SafeBoot key from being deleted. While not an end-all, be-all security approach, it is a good idea to take a look at this and consider making it part of your system setup. After all, where would you be if you didn’t have access to a bit of safety net like SafeBoot?

Safe Mode Boot Options
Safe Mode Boot options for XP (here’re the options for Windows 2000)

Interesting Request
I received an interesting request in my email this morning…someone wanted to use one of my Perl scripts in part of their courseware, and was asking if it was okay to do so. I appreciate when people do that, but I didn’t recognize the script: sweep.pl. I followed the link provided in the email and downloaded the script…it’s a port scanner/banner grabbing script I wrote in 1998! I wouldn’t call my skillz ‘l33t in any sense, even now…but back then, maybe imaginative. After all, I was doing stuff back then to see if I could, and to see if I really understood the mechanics of what was going on.

Obama’s budget slashes moon mission, new rockets

January 28th, 2010. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
NASA’s plans to return astronauts to the moon are dead. So are the rockets being designed to take them there — that is, if President Barack Obama gets his way.

A Primer on Information Theory and Privacy

January 28th, 2010. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

If we ask whether a fact about a person identifies that person, it turns out that the answer isn’t simply yes or no. If all I know about a person is their ZIP code, I don’t know who they are. If all I know is their date of birth, I don’t know who they are. If all I know is their gender, I don’t know who they are. But it turns out that if I know these three things about a person, I could probably deduce their identity! Each of the facts is partially identifying.

There is a mathematical quantity which allows us to measure how close a fact comes to revealing somebody’s identity uniquely. That quantity is called entropy, and it’s often measured in bits. Intuitively you can think of entropy being generalization of the number of different possibilities there are for a random variable: if there are two possibilities, there is 1 bit of entropy; if there are four possibilities, there are 2 bits of entropy, etc. Adding one more bit of entropy doubles the number of possibilities.1

Because there are around 7 billion humans on the planet, the identity of a random, unknown person contains just under 33 bits of entropy (two to the power of 33 is 8 billion). When we learn a new fact about a person, that fact reduces the entropy of their identity by a certain amount. There is a formula to say how much:

ΔS = – log₂ Pr(X=x)

Where ΔS is the reduction in entropy, measured in bits,2 and Pr(X=x) is simply the probability that the fact would be true of a random person. Let’s apply the formula to a few facts, just for fun:

Starsign: ΔS = – log₂ Pr(STARSIGN=capricorn) = – log₂ (1/12) = 3.58 bits of information
Birthday: ΔS = – log₂ Pr(DOB=2nd of January) = -log₂ (1/365) = 8.51 bits of information

Note that if you combine several facts together, you might not learn anything new; for instance, telling me someone’s starsign doesn’t tell me anything new if I already knew their birthday.3

In the examples above, each starsign and birthday was assumed to be equally likely.4 The calculation can also be applied to facts which have non-uniform likelihoods. For instance, the likelihood that an unknown person’s ZIP code is 90210 (Beverley Hills, California) is different to the likelihood that their ZIP code would be 40203 (part of Louisville, Kentucky). As of 2007, there were 21,733 people living in the 90210 area, only 452 in 40203, and around 6.625 billion on the planet.

Knowing my ZIP code is 90210: ΔS = – log₂ (21,733/6,625,000,000) = 18.21 bits
Knowing my ZIP code is 40203: ΔS = – log₂ (452/6,625,000,000) = 23.81 bits
Knowing that I live in Moscow: ΔS = -log₂ (10524400/6,625,000,000) = 9.30 bits

How much entropy is needed to identify someone?

As of 2007, identifying someone from the entire population of the planet required:

S = log₂ (1/6625000000) = 32.6 bits of information.

Conservatively, we can round that up to 33 bits.

So for instance, if we know someone’s birthday, and we know their ZIP code is 40203, we have 8.51 + 23.81 = 32.32 bits; that’s almost, but perhaps not quite, enough to know who they are: there might be a couple of people who share those characteristics. Add in their gender, that’s 33.32 bits, and we can probably say exactly who the person is.5

An Application To Web Browsers

Now, how would this paradigm apply to web browsers? It turns out that, in addition to the commonly discussed “identifying” characteristics of web browsers, like IP addresses and tracking cookies, there are more subtle differences between browsers that can be used to tell them apart.

One significant example is the User-Agent string, which contains the name, operating system and precise version number of the browser, and which is sent every web server you visit. A typical User Agent string looks something like this:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6

As you can see, there’s quite a lot of “stuff” in there. It turns out that that “stuff” is quite useful for telling different people apart on the net. In another post, we report that on average, User Agent strings contain about 10.5 bits of identifying information, meaning that if you pick a random person’s browser, only one in 1,500 other Internet users will share their User Agent string.

EFF’s Panopticlick project is a privacy research effort to measure how much identifying information is being conveyed by other browser characteristics. Visit Panopticlick to see how identifying your browser is, and to help us in our research.

1. 1. Entropy is actually a generalization of counting the number of possibilities, to account for the fact that some of the possibilities are more likely than others. You can find a pretty version of the formula here.
2. 2. This quantity is called the “self-information” or “surprisal” of the observation, because it is a measure of how “surprising” or unexpected the new piece of information is. It is really measured with respect to the random variable that is being observed (perhaps, a person’s age or where they live), and a new, reduced, entropy for their identity can be calculated in the light of this observation.
3. 3. What happens when facts are combined depends on whether the facts are independent. For instance, if you know someone’s birthday and gender, you have 8.51 + 1 = 9.51 bits of information about their identity because the probability distributions of birthday and gender are independent. But the same isn’t true for birthdays and starsigns. If I know someone’s birthday, then I already know their starsign, and being told their starsign doesn’t increase my information at all. We want to calculate the change in conditional entropy of the person's identity on all the observed variables, and we can do that by making the probabilities for new facts conditional on all the facts we already know. Hence we see ΔS = -log₂ Probability(Gender=Female|DOB=2nd of January) = -log₂(1/2) = 1, and ΔS = -log₂ Probability(Starsign=Capricorn|DOB=2nd of January)=-log₂(1) = 0. In between cases are also possible: if I knew that someone was born in December, and then I learn that they are a Capricorn, I still gain some new bits of information, but not as much as I would have if I hadn't known their month of birth: ΔS = -log₂ Probability(Starsign=Capricorn|month of birth=December)=-log₂ (10/31) = 1.63 bits.
4. 4. Actually, in the birthday example, we should have accounted for the possibility that someone was born on the 29th of February during a leap year, in which case ΔS =-log₂ Pr(1/365.25)
5. 5. If you’re paying close attention, you might have said, “Hey, that doesn’t sound right; sometimes there will be only one person in ZIP code 40203 who has a given birthday, in which case you don’t need gender to identify them, and it’s possible (but unlikely) that ten people in 40203 were all born on the 2nd of January. The correct way to formalize these issues would be to use the real fequency distribution of birthdays in the 40203 ZIP code.

2009 Blog Rewind: The Three-Way Handshake is a Lie!

January 22nd, 2010. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

As I close out my look at some of the most influential posts published here in 2009 I conclude with a post that garnered widespread industry recognition and sparked many discussions, Tod Beardsley’s “TCP Portals: The Handshake’s A Lie“. The post, only published a month ago, drew thousands of readers and dozens of comments. More importantly it shed some light on a potentially damaging vulnerability:

Whenever I interview someone for an Application Engineer or Security
Research position, my favorite introductory question is, “Can you describe for
me the TCP three-way handshake?”. It is a fine baseline question to
understand a candidate’s knowledge of modern
networking. Answers range from “SYN, SYN/ACK, ACK,”, to a full description of ARP, to initial sequence number generation. It’s a good
springboard question, because then you can start talking about
spoofing addresses, port scanning, the significance of IPIDs, and more.

We are hiring a lot here at BreakingPoint, which means
I’m asking this question a lot. After the fourth or fifth interview, I
decided one morning to look over RFC 793 to make sure
that I really did know everything there is to know about the
handshake. That is when I found out that we’ve all been living a lie.

Read the full post, "TCP Portals: The Handshake’s A Lie“.

And once again thank you to all of our fantastic contributors to this blog and to the readers that continue to provide us with commentary and insight. Happy New Year.

Top Ten Web Hacking Techniques of 2009 (Official)

January 22nd, 2010. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Every year the Web security community produces dozens of new hacking techniques documented in white papers, blog posts, magazine articles, mailing list emails, etc. Not to be confused with individual vulnerability instances brandishing CVE numbers, nor intrusions / incidents, but actual new methods of Web attack. Some techniques target websites, others Web browsers, and the rest somewhere in between. Historically much of this research would unfortunately end up in obscure corners of the Web and become long forgotten. Now it its fourth year the Top Ten Web Hacking Techniques list provides a centralized repository for this knowledge and recognize researchers contributing to the advancement of our industry. 2009 produced ~80 new attack techniques (see below).

The diversity, volume, and innovation of the research was impressive. Competition was as fierce as ever and the judges had their work cut out. Rich Mogull, Dinis Cruz, Chris Hoff, HD Moore, Billy Rios, Dan Kaminsky, Romain Gaucher, Steven Christey, Jeff Forristal, and Michal Zalewski were tasked with ranking the field based upon novelty, impact, and overall pervasiveness. For any researcher simply the act of creating something unique enough to appear on the list is itself an achievement. Today the polls are close, votes are in, and the top ten list has been finalized. Researchers making the cut can expect to receive praise amongst their peers and take their place amongst those from previous years (2006, 2007, 2008).

Top honors go to Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger for their work on “Creating a rogue CA certificate.” The judges were convinced by no small margin that this entry stood head and shoulders above the rest. The team will be awarded a free pass to attend the BlackHat USA Briefings 2010! (generously sponsored by Black Hat)

Top Ten Web Hacking Techniques of 2009!

1. Creating a rogue CA certificate
Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger

2. HTTP Parameter Pollution (HPP)
Luca Carettoni, Stefano diPaola

3. Flickr’s API Signature Forgery Vulnerability (MD5 extension attack)
Thai Duong and Juliano Rizzo

4. Cross-domain search timing
Chris Evans

5. Slowloris HTTP DoS
Robert Hansen, (additional credit for earlier discovery to Adrian Ilarion Ciobanu & Ivan Ristic – “Programming Model Attacks” section of Apache Security for describing the attack, but did not produce a tool)

6. Microsoft IIS 0-Day Vulnerability Parsing Files (semi‐colon bug)
Soroush Dalili

7. Exploiting unexploitable XSS
Stephen Sclafani

8. Our Favorite XSS Filters and how to Attack them
Eduardo Vela (sirdarckcat), David Lindsay (thornmaker)

9. RFC1918 Caching Security Issues
Robert Hansen

10. DNS Rebinding (3-part series Persistent Cookies, Scraping & Spamming, and Session Fixation)
Robert Hansen

Congratulations to all!

Coming up at IT-Defense (Feb. 3 – 5) and RSA USA 2010 (Mar. 1 – 5) it will be my great honor to introduce each of the top ten during my “2010: A Web Hacking Odyssey” presentations. Each technique will be described in technical detail for how they work, what they can do, who they affect, and how best to defend against them. The opportunity provides a chance to get a closer look at the new attacks that could be used against us in the future.

The Complete List

1. Persistent Cookies and DNS Rebinding Redux
2. iPhone SSL Warning and Safari Phishing
3. RFC 1918 Blues
4. Slowloris HTTP DoS
5. CSRF And Ignoring Basic/Digest Auth
6. Hash Information Disclosure Via Collisions – The Hard Way
7. Socket Capable Browser Plugins Result In Transparent Proxy Abuse
8. XMLHTTPReqest “Ping” Sweeping in Firefox 3.5+
9. Session Fixation Via DNS Rebinding
10. Quicky Firefox DoS
11. DNS Rebinding for Credential Brute Force
12. SMBEnum
13. DNS Rebinding for Scraping and Spamming
14. SMB Decloaking
15. De-cloaking in IE7.0 Via Windows Variables
16. itms Decloaking
17. Flash Origin Policy Issues
18. Cross-subdomain Cookie Attacks
19. HTTP Parameter Pollution (HPP)
20. How to use Google Analytics to DoS a client from some website.
21. Our Favorite XSS Filters and how to Attack them
22. Location based XSS attacks
23. PHPIDS bypass
24. I know what your friends did last summer
25. Detecting IE in 12 bytes
26. Detecting browsers javascript hacks
27. Inline UTF-7 E4X javascript hijacking
28. HTML5 XSS
29. Opera XSS vectors
30. New PHPIDS vector
31. Bypassing CSP for fun, no profit
32. Twitter misidentifying context
33. Ping pong obfuscation
34. HTML5 new XSS vectors
35. About CSS Attacks
36. Web pages Detecting Virtualized Browsers and other tricks
37. Results, Unicode Left/Right Pointing Double Angel Quotation Mark
38. Detecting Private Browsing Mode
39. Cross-domain search timing
40. Bonus Safari XXE (only affecting Safari 4 Beta)
41. Apple’s Safari 4 also fixes cross-domain XML theft
42. Apple’s Safari 4 fixes local file theft attack
43. A more plausible E4X attack
44. A brief description of how to become a CA
45. Creating a rogue CA certificate
46. Browser scheme/slash quirks
47. Cross-protocol XSS with non-standard service ports
48. Forget sidejacking, clickjacking, and carjacking: enter “Formjacking”
49. MD5 extension attack
50. Attack – PDF Silent HTTP Form Repurposing Attacks
51. XSS Relocation Attacks through Word Hyperlinking
52. Hacking CSRF Tokens using CSS History Hack
53. Hijacking Opera’s Native Page using malicious RSS payloads
54. Millions of PDF invisibly embedded with your internal disk paths
55. Exploiting IE8 UTF-7 XSS Vulnerability using Local Redirection
56. Pwning Opera Unite with Inferno’s Eleven
57. Using Blended Browser Threats involving Chrome to steal files on your computer
58. Bypassing OWASP ESAPI XSS Protection inside Javascript
59. Hijacking Safari 4 Top Sites with Phish Bombs
60. Yahoo Babelfish – Possible Frame Injection Attack – Design Stringency
61. Gmail – Google Docs Cookie Hijacking through PDF Repurposing & PDF
62. IE8 Link Spoofing – Broken Status Bar Integrity
63. Blind SQL Injection: Inference thourgh Underflow exception
64. Exploiting Unexploitable XSS
65. Clickjacking & OAuth
66. Google Translate – Google User Content – File Uploading Cross – XSS and Design Stringency – A Talk
67. Active Man in the Middle Attacks
68. Cross-Site Identification (XSid)
    
69. Microsoft IIS with Metasploit evil.asp;.jpg
70. MSWord Scripting Object XSS Payload Execution Bug and Random CLSID Stringency
71. Generic cross-browser cross-domain theft
72. Popup & Focus URL Hijacking
73. Advanced SQL injection to operating system full control (whitepaper)
74. Expanding the control over the operating system from the database
75. HTML+TIME XSS attacks
76. Enumerating logins via Abuse of Functionality vulnerabilities
77. Hellfire for redirectors
78. DoS attacks via Abuse of Functionality vulnerabilities
79. URL Spoofing vulnerability in bots of search engines (#2)
80. URL Hiding – new method of URL Spoofing attacks
81. Exploiting Facebook Application XSS Holes to Make API Requests
82. Unauthorized TinyURL URL Enumeration Vulnerability

---

WhiteHat Security is a leading provider of website security services.

---

RockYou Hacked. Some 30 million passwords in the wild [Security]

January 22nd, 2010. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

RockYou, a service that offers applications like slideshows, games, layouts and more for social networking sites like Facebook, MySpace or Orkut that of the network’s users seem to love so much was recently hacked and the service’s entire database of 30+ million data sets exposed. This alone would have been problematic but the situation grew worse when it became clear that the passwords were stored in plain text in the databases.

This mean that more than 30 million complete sets of emails, usernames and passwords were exposed to third parties. At least one hacker managed to get hold of all the data of which the passwords and a small sample was posted on the Internet.

RockYou users who have an account at the service should immediately change the passwords for all their services that use the password and email address to avoid that these accounts are hacked.

RockYou did not only store login information about its own service but also for third party websites like Facebook or MySpace to make it as easy as possible for the users to use the data in their social networking accounts. This means that MySpace, Bebo or Facbeook login information have also been stored on the Rockyou servers if the user has entered them before on their website (see Techcrunch for additional information)

Security company Imperva got hold of the 30+ million passwords that have been selected by RockYou users to secure their accounts. Their findings are alarming:

• About 30% of users chose passwords whose length is equal or below six characters.
• Moreover, almost 60% of users chose their passwords from a limited set of alpha-numeric characters.
• Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive
  digits, adjacent keyboard keys, and so on). The most common password among Rockyou.com
  account owners is “123456”.

The password popularity chart is therefor dominated by easy to guess passwords just as 123456, Password, rockyou or abc123. The full report of the findings can be downloaded from the Imperva server as a pdf document.

If a hacker would have used the list of the top 5000 passwords as a dictionary for brute force attack on Rockyou. com users, it would take only one attempt (per account) to guess 0.9% of the users passwords or a rate of one success per 111 attempts. Assuming an attacker with a DSL connection of 55KBPS upload rate and that each attempt is 0.5KB in size, it means that the attacker can have 110 attempts per second. At this rate, a hacker will gain access to one new account every second or just less than 17 minutes to compromise 1000 accounts. And the problem is exponential. After the frst wave of attacks, it would only take 116 attempts per account to compromise 5% of the accounts, 683 attempts to compromise 10% of accounts and about 5000 attempts to compromise 20% of accounts.

Recommendations for users

• Choose a strong password for sites you care for the privacy of the information you store. Bruce Schneir’s advice is useful: “take a sentence and turn it into a password. Something like “This little piggy went to market” might become “tlpWENT2m”. That nine-character password won’t be in anyone’s dictionary.”
• Use a different password for all sites – even for the ones where privacy isn’t an issue. To help remember the passwords, again, following Bruce Schneier’s advice is recommended: “If you can’t remember your passwords, write them down and put
  the paper in your wallet. But just write the sentence – or better yet – a hint that will help you remember your sentence.”
• Never trust a 3rd party with your important passwords (webmail, banking, medical etc.)

The easiest way to ensure all this is to use a password manager that can generate strong passwords and save them for the user. We recommend Last Pass which is available for several popular web browsers.

Bothunter 1.5 Released!

January 21st, 2010. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

One of my favorite projects has a new significant release. Bothunter is an auto9mated bot finding tool. It uses the Emerging Threats signature base, but has a LOT more under the hood. I highly recommend it, we write a lot of signatures based on new threats it identifies first.

Find more info here:

http://www.bothunter.net 

The wrong way to determine the size of a buffer

January 21st, 2010. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

A colleague of mine showed me some code from a back-end
program on a web server.
Fortunately, the company that wrote this is out of business.
Or at least I hope they’re out of business!

size = 16384;
while (size && IsBadReadPtr(buffer, size)) {
    size--;
}

mswinnt-pwn.txt

January 20th, 2010. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Microsoft Windows suffers from an user mode to ring 0 escalation vulnerability.

Google v China

January 13th, 2010. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
It’s been a few months since I mentioned China in a blog post, but this one can’t be ignored. Thanks to SW for passing me this one:

Google Blog: A New Approach to China

In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google…

These attacks and the surveillance they have uncovered–combined with the attempts over the past year to further limit free speech on the web–have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.

Welcome to the party, Google. You can use the term “advanced persistent threat” (APT) if you want to give this adversary its proper name. See my post Report on Chinese Government Sponsored Cyber Activities for more details.

I have to really applaud Google for saying they might shut down operations in a country of 1.4 billion potential consumers as a result of an incident detection and response!

There were many events last year that fulfilled my prediction for 2009 Expect at least one cloud security incident to affect something you value. I think this one wins hands down.

Never mind the China angle for a moment. All of us should stop and consider what sort of data we are storing at Google, and in what form that data is stored. Google’s Keeping Your Data Safe post for Enterprise customers claims While some intellectual property on our corporate network was compromised, we believe our customer cloud-based data remains secure. However, my experience with these sorts of incidents is that if it occurred in “mid-December,” Google will be spending the next several months realizing how large the exposure really is.

Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Ignorance of the 4 new laws a day is no excuse

January 12th, 2010. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
The lead of this story caught my eye:

(CNN) — Legislatures in all 50 states, the District of Columbia, Guam, the Virgin Islands and Puerto Rico met in 2009, leading to the enactment of 40,697 laws, many of which take effect January 1.

That’s an average of 753 laws passed in each of those jurisdictions. At 200 working days in a year, which is normal for you and me, that’s nearly 4 laws per day.

Now, there’s a longstanding principle of law, which is that ignorance of the law is no excuse. That goes back to the day when laws, like the code of Hammurabi, were inscribed at a rate of about 4 letters per day. The laws were posted in the city center where both of the literate people could read them.

Joking aside, at what point does knowledge of the law become an unreasonable demand on the citizenry? Civil rights lawyer Harvey Silvergate has a new book, “Three Felonies a Day: How the Feds Target the Innocent. I haven’t read it, but as I understand, it’s largely about the proliferation of vague laws, not the sheer numbers.

A few years back, Aleecia McDonald and Lorrie Cranor calculated the cost of reading and understanding the privacy policies of the sites you visit. It was $365 billion. It might be interesting to apply the same approach to the work of legislatures.

Things Darwin Didn’t Say

January 12th, 2010. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
There’s a great line attributed to Darwin:

“It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is most adaptable to change.”

The trouble is, he never said it. Background here.

Original sources are important and fun.

Picture: Real-Life Landspeeder Takes Off

January 12th, 2010. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

No, this isn’t the Skywalker family’s latest Landspeeder. George Lucas isn’t making a seventh Star Wars film, thank God. It’s a specialized drone, made in Israel, that’s meant to serve as a flying, hovering robotic ambulance and cargo-hauler.

I had my doubts about the drone, when some extremely cheesy concept art for the thing surfaced in 2008. But the AirMule does appear to moving ahead. The aircraft recently had its first hovering test, and appeared to stay stable, about two feet off of the ground. For the next test: No guidewires. Or lightsabers.

[Photo: Urban Aeronautics]

ALSO:

• Pentagon Clears Flying-Car Project for Takeoff
• Flying Car Could Become Israel’s Robotic Ambulance
• Aussie Hovering Drone is Straight Outta Avatar
• From Lightning Weapons to Flying Cars

A Right to Forget – Online

January 12th, 2010. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

There is lots of advice around, addressed to the young and innocent but probably applicable to the old and jaded as well, to be cautious about what one puts online about oneself, since it could be there for a long time and influence people whose interest you have not yet thought about — future employers and mates being two of the main classes.

The French are now pondering a legal ‘right to forget’ (un droit à l’oubli) — or at least a right of a person to get old information about him/herself taken down. The BBC has the story.

Is this: (a) a good idea, and (b) even remotely possible, even by force of law? What about Internet archives, and mirror sites, and viral messages?

I had thought that there was already such a legal rule in French law, though not perhaps enforceable against a host of a web site. Does that sound familiar to anyone else, or did I just make it up?

Should we have something similar here?

Tobacco company helped shape European policy system favoring corporate profits over public health

January 12th, 2010. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
British American Tobacco (BAT), the world’s second largest tobacco transnational, strategically influenced the European Union’s framework for evaluating policy options, leading to the acceptance of an agenda which emphasizes business interests over public health, according to a study published in PLoS Medicine.

New multi-touch screen technology developed (w/ Video)

January 12th, 2010. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
(PhysOrg.com) — Scientists from New York University have formed a company to bring flexible multi-touch screens using a new technology to a range of devices, from e-readers to musical instruments. The new touch screens respond to all kinds of objects, as well as fingers and hands.

How to encourage big ideas

January 12th, 2010. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Scientists are much more likely to produce innovative research when using long-term grants that allow them exceptional freedom in the lab, according to a new study co-written by MIT economists.

The work shows that biologists whose funding encourages them to take risks and tolerates initial research failures wind up producing about twice as many highly influential papers as some peers whose funding is dependent upon meeting closely defined, short-term research targets.

“If you want people to branch out in new directions, then it’s important to provide for their long-term horizons, to give them time to experiment and potentially fail,” says Pierre Azoulay, an associate professor at the MIT Sloan School of Management, and an author of the study. “The researcher has to believe that short-term failure will not be punished.”

The results are contained in a working paper released this fall, “Incentives and Creativity: Evidence from the Academic Life Sciences,” by Azoulay, Gustavo Manso, an assistant professor at Sloan, and Joshua Graff Zivin, an associate professor of economics at the University of California, San Diego.

The researchers believe their evidence shows it is possible to manage lab work in a way that increases the chances that scientists will produce breakthrough findings, not just incremental advances within an established paradigm. “You can generate innovation, but the details matter,” says Azoulay. “What you want to provide incentives for is future performance, not performance today.”

The study appears as science funding has recently risen in the United States, in part through the stimulus bill Congress passed in 2009, which provided about $20 billion for research. Not counting stimulus money, President Barack Obama still included a slight increase in federal support for science as part of his proposed 2010 budget, which asks for about $148 billion for research and development. In April, Obama suggested that scientific funding should equal 3 percent of America’s economic production. Azoulay says he and his colleagues would like to instigate a discussion about not only how much money should be spent on research, but how those funds should be managed.

Measuring creativity

Azoulay, Manso, and Graff Zivin arrived at their conclusions after comparing researchers using two distinct types of funding: support from the investigator program of the Howard Hughes Medical Institute (HHMI), the large non-profit biomedical research organization in Maryland, and the R01 grants of the National Institutes of Health (NIH), the federal government’s life-science center in Maryland. The HHMI support lasts five years and is often renewed; the program “urges its researchers to take risks … even if it means uncertainty or the chance of failure.” The HHMI also provides a two-year buffer of support after funding is terminated. The NIH grants last three to five years, have more specific aims, and cease immediately if not renewed.

The researchers identified 73 life scientists given HHMI support in three years — 1993, 1994, and 1995 — and tracked their work through 2006. Because these scientists were quite well-regarded before getting HHMI funding, the study compared them to groups of similarly accomplished scientists receiving NIH grants: one group of 393 scientists who had received early-career prizes, and another group of 92 scientists receiving the NIH’s MERIT funding, awarded to highly promising projects.

Among other things, Azoulay, Manso, and Graff Zivin analyzed how often these scientists published articles that were among the top 5 percent or top 1 percent of the most cited papers in their fields. They also studied “creativity” in lab research by seeing how often the scientists began using new keywords to describe the subjects of their articles.

Their findings show that compared to the early-career prize winners with NIH grants, the HHMI-funded scientists produced twice as many papers in the top 5 percent in terms of citations, and three times as many in the top 1 percent. Compared to the NIH-funded scientists with MERIT grants, the HHMI group produced about the same quantity of papers in the top 5 percent by citation, but 50 percent more papers in the top 1 percent.

The study also found that the HHMI investigators had about 10 percent more variety in the keywords they introduced into their own work than the early-career prizewinners from the NIH, and were cited in a greater range of journals. Additionally, the HHMI-backed scientists mentored more early-career prize-winning scientists themselves (1.13 per person) compared to the NIH-funded group (0.24 per person).

Avice Meehan, vice president for comunications and public affairs at HHMI, says the study reflects the fact that over the last two decades, “HHMI has identified highly creative scientists and given them the freedom to pursue critical medical research, even if it takes them years, and means a change of research direction.”

The view from the NIH

The researchers acknowledge that measures such as keywords are imperfect indicators of creativity, but think such tools are a reasonable way of identifying originality in the lab. “There are as many definitions of creativity as there are people studying creativity,” acknowledges Azoulay. “But ultimately creativity is measured in especially good outcomes.” 

Azoulay, Manso, and Graff Zivin also emphasize that their work is not an institutional critique of the NIH. “The conclusion of our paper is not that the NIH should transform itself into a version of the HHMI,” Azoulay adds.  Their larger point simply concerns the effects of different types of grants. If major discoveries are not unanticipated events, but influenced by the underlying funding, policy-makers could consider that point when allocating research dollars.

Moreover, the civic value of science often comes not only from an initial breakthrough, but later incremental refinements of it. In those cases, shorter-term, narrower research provides significant social benefits. “It’s an outstanding question what the actual mix of exploration and exploitation we need is,” Azoulay notes.

Don Ralbovsky, an NIH spokesperson, said a staff member in the NIH’s Office of Extramural Research had looked at the paper and described it as “interesting,” but would refrain from further comment until the paper appears in final published form.

In recent years, the NIH has developed multiple types of funding beyond the traditional R01 grants. The Pioneer Award, founded in 2004, is a grant for “highly innovative new research approaches,” to be given to seven scientists in 2010. The New Innovator Award is for 33 early-career investigators in 2010, emphasizing “innovation and potential impact.” And in 2008, the NIH established Transformative Research projects Awards, making $25 million available for “bold and creative investigator–initiated research.” All of these grants last five years, instead of three for the standard R01 grants.

Azoulay agrees that the existence of a variety of types of grants can help science as a whole. “A division of labor might benefit of the entire research ecosystem,” he says. The HHMI’s Meehan concurs: “It’s important for the nation to have a comprehensive research portfolio that encompasses many approaches and mechanisms.” (This research was funded in part by the Kauffman Foundation and the Science of Science Policy Program of the National Science Foundation.)

One long-term goal of Azoulay’s work is “to bring randomized trials to science policy.” By comparing two groups over time, this study attempts to replicate the lab-trial method, albeit with historical data, and shed more empirical light on a subject often discussed anecdotally.

“This is the first word on the topic, not the last,” concludes Azoulay.

TEDTalks : Loretta Napoleoni: The intricate economics of terrorism – Loretta Napoleoni (2009)

January 12th, 2010. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Loretta Napoleoni details her rare opportunity to talk to the secretive Italian Red Brigades — an experience that sparked a lifelong interest in terrorism. She gives a behind-the-scenes look at its complex economics, revealing a surprising connection between money laundering and the US Patriot Act.

TEDTalks : James Geary, metaphorically speaking – James Geary (2009)

January 12th, 2010. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Aphorism enthusiast and author James Geary waxes on a fascinating fixture of human language: the metaphor. Friend of scribes from Aristotle to Elvis, metaphor can subtly influence the decisions we make, Geary says.

TEDTalks : Steven Cowley: Fusion is energy’s future – Steven Cowley (2009)

January 12th, 2010. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Physicist Steven Cowley is certain that nuclear fusion is the only truly sustainable solution to the fuel crisis. He explains why fusion will work — and details the projects that he and many others have devoted their lives to, working against the clock to create a new source of energy.

BackTrack 4 Final Release

January 12th, 2010. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Taken  from the new BackTrack Site :
BackTrack 4 Final is out and along with this release come some exciting news, updates, and developments. BackTrack 4 has been a long and steady road, with the release of abeta last year, we decided to hold off on releasing BackTrack 4 Final until it was perfected in every [...]

Computer Security Training

January 12th, 2010. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
SANS has a new web site for those interested in Computer Security Training:

junos-crash.pl.txt

January 12th, 2010. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
JunOS malformed TCP options remote denial of service exploit.

Smart meter crypto flaw worse than thought

January 12th, 2010. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

The Power Law of Terrorism

January 12th, 2010. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Research result #1: “A Generalized Fission-Fusion Model for the Frequency of Severe Terrorist Attacks,” by Aaron Clauset and Frederik W. Wiegel. Plot the number of people killed in terrorists attacks around the world since 1968 against the frequency with which such attacks occur and you’ll get a power law distribution, that’s a fancy way of saying a straight line when…