The Linux Ninja

Here are some stories from the past week that I found interesting:

• Pcapline.py and the Ann’s Aurora network forensics challenge – Wesley McGrew’s blog post about the tool he wrote for his winning entry into the latest SANS Forensics Challenge
• REMnux: A Linux Distribution for Reverse-Engineering Malware – Lenny Zeltser announced a new linux-based distribution targeted at reverse-engineering malware. It comes preloaded with a great set of tools and is distributed in VMWare’s Virtual Machine format.
• The True Problem with Web Apps and Security – Rafal Los wrote a nice post talking about what he views as the reasons why making web apps secure is so hard.
• Writing Fuzzable Code – Adam Shostack talks about how Microsoft is trying to build security in to their codebase.
• Hi! I’m a security researcher and here’s your invoice – Interesting editorial by Michael Zalewski on the selling/withholding of vulnerabilities
• Special Look: Face Time parts 1, 2, 3 – Great series by Josh Wright examining Apple’s FaceTime video chat protocol
• OSX ROP Exploit – EvoCam Case Study

So Google huffed and puffed about leaving China, but it looks they will likely back down on their threat. Also, the sky is still blue. Why? My best guess is the profits they can generate ultimately outweighed the threats that may have been posed by Chinese nationals / government /all the hacked computers part of a giant botnet that exist there (and any uproar from shareholders who were also disappointed about throwing away money). There’s too much potential for profit and even talent recruiting that Google would sacrifice by leaving China. I doubted Google would ever actually leave China and the more I thought about the situation, the more it seemed like a threat to get either a confession or concessions out of the Chinese government. At least Google chose to use something that would appear to be (at least to me) one of the Chinese government’s biggest fears as their threat: freedom of information to all Chinese citizens. Most likely that will end as they come to some sort of under-the-table agreement about continuing censorship in exchange for marketshare / money / access. I could be wrong and Google may be one of the first major players to stand up to China, but it just seems extremely unlikely.

Can’t make it to DC this year for Shmoocon due to time, money, or gigantic snowstorms? Fear not, there will be a live stream starting this friday! DC is getting slammed by a massive snowstorm, but Bruce Potter has vowed to not let that stop his con of awesomeness Look for any further updates on the Shmoocon news page. I can’t wait to see the unleashing of the Shmoo-cannons

Jack Daniel (@jack_daniel) announced that there will be a Security B-Sides event coming to Austin on March 13 to coincide with everyone coming to town for SXSW Interactive an to help “Keep Security Weird.” I listened to the excellent B-Sides Las Vegas talks and I am extremely excited to be able to attend a B-Sides event in person since I’m already in the Austin area . I can’t think of a better way to make up for killing my phone service than by offering what promises to be an awesome lineup of talks .

If Jack or any other organizers read this let me know if there’s anything I can do to help out…

(also, I will probably start posting more regularly after getting settled in from moving and my duties at the new job)

I created a new page that contains links to all of the InfoSec self education resources that I currently use or have used in the past. The page started out as a blog post but morphed into a page because it was something I saw myself and potentially others referring back to and updating in the future. I have links to blogs, podcasts, webcasts, conference materials, live distributions, and I am currently in the process of adding some mailing lists. I am still updating many of the sections on the page, but I will take any and all suggestions of things to add.

-jason

I started listening to the Security B-Sides Las Vegas 09 audio release by the Security B-Sides guys (I believe Jack Daniel did most of the audio editing) after forgetting that the mp3 files had been out there for awhile. You can either subscribe to the B-Sides RSS feed or subscribe to the podcast in iTunes. So far I have finished listening to to a talk on WarVOX by H.D. Moore of the Metasploit project, a talk on using BeEF + Cain for snagging and cracking password hashes, and a good talk by Mike Kershaw, author of kismet, that covers developments in lorcon and kismet and integration into metasploit. These have all been really interesting and informative to listen to and are highly recommended.

The BruCon conference was held at the end of September and they released the presentation materials and video soon after. You can find the video on the BruCon website here and the materials here.I’ve started watching Chris Nickerson’s (of Tiger Team fame and currently one of the hosts on Exotic Liability in addition to his day job at Lares Consulting) talk and it’s been really good so far. The videos look to be a little bit fuzzy so I recommend following along in the PDF versions of the slides.

I hope to take some ideas from these talks and start making some posts on using the tools and methods talked about and applying them in virtual environments for those that are inclined to do alot of self-learning, so please stay tuned….

UPDATE: Edited to reflect my mistake of saying Jayson Street donating all of his proceeds from his book to Hackers for Charity. He is, however, donating a portion of his proceeds to Hackers for Charity so you should still buy it for that and because it’s a great book

I just wanted to make a few quick book recommendations about one book I recently finished reading and one I plan to start reading as soon as it arrives.
I read Daemon by Daniel Suarez in about a week and I found it very engrossing. The basic idea is that a genius programmer named Matthew Sobol who is dying of brain cancer has created programs that are waiting for triggers (the first one being news of his death). Once these daemons trigger they start setting events in motion that enable a distributed and extremely sophisticated AI to coordinate an attempt at restructuring everything according to Sobol’s vision. The only things that took me out of the book were the technical definitions he inserted in the beginning of the book that felt kind of out of place. I felt they might be better placed in a glossary area or made a little simpler. When one of the characters gives a very technical definition of VOIP to a very non-technical cop and the cop accepts it like he understands it just didn’t feel right. That’s my only major gripe with the book and once he gets some initial terminology out of the way those parts disappear and the story gets moving pretty fast. I somewhat saw the ending coming but that was more because I heard some snippets about the sequel and I was able to piece together what needed to happen to get to some of the vague plot points I heard. I definitely recommend reading the book and then following up with the sequel Freedom (TM) when it comes out early next year.

My other book recommendation is Dissecting the Hack: The f0rb1dd3n Network by Jayson Street and others. Jayson has said that he will be donating all of his proceeds a portion of his proceeds to Hackers for Charity and the link I provide is via Johnny Long’s affiliate link so you can end up helping Johnny double . My copy is currently on order and I am waiting for it to arrive so I can dive in.

The  number of  XSS, XSRF,  command injection, and SQL injection vulnerabilities in popular web applications has seemed to be increasing alot over the last year and I am left wondering why these things keep popping up (and I also wonder why it’s take me a month to finish this rant ).

Continue reading

The Dutch  branch of Tele2 has apparently been assigning the same default password to all users according to SC Magazine.  From the article:

The Dutch branch of Tele2 claimed that when a new subscriber signs up, they can choose a login or are assigned one and they are then sent a letter by Tele2 with their login name, password and the date their new DSL connection will be activated.

As the password is changed monthly instead of being generated randomly, all subscribers that signed up in the same month will have the same password.

Writing on the securityandthe.net blog, author Martin claimed that the letter does not even mention the need to change this password anywhere, and with the correct login and password, you can, amongst others, view and change the customer’s contact details and view their billing history.

I wonder if they store the passwords in plaintext too? It’s extremely simple to write something to generate a random password and insert that in place of “password=’lame’” in the codebase so they really have no excuse for this. Even making the the change mandatory doesn’t fix the problem because  I would still be able to get into your account if you haven’t logged in yet. This is almost as bad as AT&T leaving just about every iPhone user’s voicemail unprotected by a password and not telling them or giving them an easy option on the phone itself to setup a password.

I was reminded that on this day in 1991 Linus posted his Usenet message announcing his creation of a new hobby OS that he had been working on and looking for feedback. I know that I would not be where I am today if it were not for Linux and all the wonderful software distributions that use its kernel.

So a big “Thank You!” goes out to Linus and a “Happy 18th Birthday!” to Linux.