Sunday, 26 September 2010

Definately not outage Virgins

So in case you haven't heard an international budget airline here in Australia has had a major computer issue, see here.
By the sounds of it their outsourced service provider doesn't have redundant kit, as they couldn't simply fail-over. But it gets worse currently going to or leaks a lot of information, and leaks a nice juicy standard ASP.Net error page, of the type that the recently discussed Asp.Net oracle padding attack can take great use of, see here.
Ouch and double ouch. Oh and we hear this is not the first outage they have had in as many months...

Sunday, 25 July 2010

passive recon on valued targets

So there was a bit of a flash in the pan recently, when my post on a simple autorun virus exploded after I notified Patrick Gray of the Risky business podcast and he blogged it, and then zdnet, Lifehacker and Slashdot (queue O'Fortuna) picked it up. I am now even listening to the risky business podcast where I get a mention.
Needless to say I got a lot of traffic (not a tonne, maybe the Slashdot effect is waning). A majority came from home users, interestingly a few had Firefox with java turned off, these showed up in extremetracker (used them for a while, and they still have some value obviously). Those that didn't showed up in Google analytics.
I am a big fan of no-script, so it seems I am not alone.
Before I get on to my main point I feel I need to argue some points.
First Lifehacker seemed to allude to the USB key either being infected from my home system or in some other way. This is simply untrue. This is a windows virus, thus a windows binary, simply won't run on Linux so no way to get infected there, and that was the last system it was plugged into and everything on it deleted to make way for the small collection of photos. The other point is the investigation I did, our receipt showed a time of 2:35pm (already gave the Job number to BigW for their investigation team), the virus folders creation time (and the files inside) was 2:24pm on the same day as the receipt.
On to the main point.
Of the total ~2000 hits, there were some interesting and funny hits. There was the obligatory hits from Woolworths, BigW’s parent company, then funny from Coles (there biggest competitor) and Kodak (the kiosks are Fujifilm). Then came the interesting, obviously driven from the Slashdot post. Some hits from government organisations, some from big military complexes and security agencies the world over.
The point of this post is to point out what kind of information these different public and private companies exposed. Obviously first off the bat, and something I thought of but my Boss put eloquently into words “Why do so many of these organisations have such telling reverse DNS records or ip block records”, why indeed. I am not going to name names, but using the ones I have already named. Woolworths, their block was registered to Woolworths Limited.
The next point that concerns me more is the other data that leaked out, I have their external IP, ok that’s not really much, but their browser version (a lot of IE6 out there people have you learned nothing from the Google breach), their connection speed, OS, etc etc. This could lead to someone simply writing a decent tech article, getting Slashdotted, then getting a list of targets stream in, do a bit of Google digging find an employee in said companies email address/linked-in/Facebook and send them an email to a follow up post with a nice 0-day with remote code to install your custom malware, some good reconnaissance on the most valuable (techies) targets. Usually you can assume the techies are running the latest software in the company, so if you see ie6 you have hit pay dirt, if you see Mozilla 1.0 woo. You can even look for outdated OSes with un-patched vulnerabilities; there were a couple Windows98, Windows2000. Oh and to that 0S2/warp4 user that hit the site (if it wasn’t forged) both my apologies and respect...
So from this I would think maybe everyone should change their proxies to use a different IP out of their block that is not registered to their company name, no reverse DNS, and you know update your browser and OS once in a while, or change what your browser reports itself as to a different browser.

Sunday, 4 July 2010

Big Wirus

Gather round everyone for a tale of woe.
So I loaned one of my many USB keys to Fiona to backup some of our photos to print at a BigW, Mt Gravatt to be precise. I had cleared everything off and handed it over to her to copy over the photos. We tried it in a local BigW (Mt Ommaney) on Saturday but couldn't find a station that worked properly, we managed to get a few photos printed, but Fiona kept the key to see if she could get them printed elsewhere.
Off she trotted to Mt Gravatt BigW on Monday after she dropped the kids at kindy, she printed out the photos and thought nothing of it. Wednesday night I decided I should move my files back, I plugged the USB key in and noticed among the photos a hiden autorun.inf... Not usual for me to have leave that there, a quick read of it in text editor let me see it was trying to run RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\driver.exe scanning the file with clamwin let me know it was Trojan.Poison-36 (it goes by other names, trojan.killav is Symantecs name) a nasty little phone home trojan that was only discovered recently (9/06/10), that uses the usual trick of infecting attached drives with the autorun.inf trick. It also then goes on to try and kill av programs and then once that is done download other malware, see here
I was safe due to my self inflicted draconian software restriction policy, and Fiona who had plugged it in to her laptop was safe due to it being an exe and her running Linux.
So I notified BigW back on the 30th, I think for something so little, I have given them reasonable disclosure. It is something they could have designed against, by using a software restriction policy, or simply making the USB devices read only via policy, or hey you know Antivirus that at least occasionally gets updated...
I was and still am tempted to put my own little exe and autorun on a key to see if the kiosks are still vulnerable, but Fiona has advised against it, my little voice of reason.
My problem with this issue, is that there seems to be little design that has gone into a system that thousands of people probably use a week, and little concern for users of these systems, how many people are going to get home and infect their systems, how many are going to not realise it was due to the dodgy kiosk they used and then blame the internert, Microsoft, or their kids. I am not a big fan of misplaced blame.

Not really much news here, viruses are a part of life. But with most modern USB keys no longer having the nice little feature of a read only switch, there is little you can do to protect yourself. You could try having an autorun.inf on your key that is marked read only, that may work unless the virus knows how to overwrite it.

Tuesday, 27 April 2010


I am the first to admit I am a sad geek. When I saw this the other day it made me laugh, possibly a little too much;
What follows is a computer security debate on a fictional character in a fictional universe, I apologise in advance.
Now I have to debate this. I always thought of R2D2 as the ultimate in automated hacking. AI that is constantly writing vulnerabilities, heck he probably has a virtual Imperial System running in his hardware to throw test code at. That and he had physical access to a data port, ala USB, so he may have known some nice little direct memory injections or even a kind of side channel attack if the system was one big computer (which it seems to be) he could have been detecting key inputs from other terminals via power fluctuations in the data port.
If it was a network, he could have known some protocol vulnerability or remote code exec that the good old pompous "no one will be able to get to that vulnerable access port on our space station" Empire would not bother patching, can you imagine the amount of patching the empire would have to do though.

If we take the monolithic single computer per vessel approach (which leaves no room for redundancy) you have at its peak 25000 Star Destroyers, 12 Super star destroyers and around 3 million other vessels (tie fighters, Corvettes, Gunships, Transports, and the Death Star). So let’s say 3 million huge computers, that probably can't be patched while in service, so will only be patched when in for maintenance at a dock, leaving lots of time for Vulnerabilities to be discovered, and vulnerabilities on a non-segregated duty single monolithic computer would be awesome, initiate self destruct anyone?

If we take the multi-computer networked approach (which seems more likely with what we know that the hyper drive computer needed time to spin up and that droids seem independent). A Star Destroyer had about 5000 members in its crew, and the Super Star Destroyer and Death Star about 300,000 crew, we will say the smaller craft had an average of 10 crew (tie fighters, Corvettes, Gunships, and Transports). So that means a total number of service men and women of about 160million, they probably work 3 8 hour shifts a day plus some to cover weekends, so maybe a quarter of those have actual workstations, but there would be servers and central computers, so say 80million computers, plus about 10million network devices near on impossible to have 100% patch rollout on a network of that size, give someone physical access to that network and they will get in somewhere, especially if that someone is a precocious little blue and white droid.


Thursday, 15 April 2010

Altassian and Apache are related?

A very good write up of the impressive attack that was carried out on these two groups;
It is good that this underlines the real power of an XSS, I have heard people dismiss XSS and this will be good to pull out at times like that. But it wasn't just XSS it was a co-ordinated multi-pronged attack. Work of real pro's. Just goes to show if someone wants in badly enough they will get in.
I know some of the people at Altassian and I would say that unfortunately they got attacked by a better opponent. No one is infallible. It is good though how Altassian handled it then how Apache handled the resultant attack. I would say Altassian was the target because of the donation to Apache, it made them a target.

Oh yeah and I have said it before and I will say it again, I hate URL shortening services they should all die in a fire, if twitter wants to stick to the 140 characters (which is a good thing) move to putting URL's in the page as a simple html link that goes at the bottom ala the way Facebook does it.

Tuesday, 9 February 2010

A bleak but bright future

So listening to Dan Gear on the Risky Business podcast talk about the possible future of computing today while flicking through my RSS feed. I came to a realisation.
The future of computing is going to be bleak. But maybe good for our security.
Dan was talking about the new iPad and existing single purpose devices as being the new wave of computers. Think about it a device that is so locked down and vendor locked in that it is inherently secure due to that. Devices that are single purpose, they don't and can't do everything your previous computer could, think about it a light and switch doesn't require updates or security patches. Its purpose is singular, provide light or not.
These computers would do this as well, provide a game, information, or what have you. We are already here to some extent, single purpose computers plugged into or inside televisions, locked down to the way the vendor wants, not necessarily locked down enough but regardless. They still have bugs, ways to circumvent the original intended operation, but generally speaking these bugs require the inclined to be in front of the device, not miles away in their parents basement.
Then while listening to this and pondering I read another article about "Cloud computing".
So the future will be these big provided clouds, some to play games in, some for businesses, others for research and development. Single purpose environments abstracted away from even the technical users. Who will use a single purpose thin client to access these clouds.
So on one front it sounds good, security and technicalities are abstracted away to an extent. On another front it means tinkering will be harder, with everything, technical people will actually be less technical than they are now, it will be a dumbing down all around.
I have played with Amazon's elastic compute cloud, Google app engine, and run a personal virtual server on my laptop and media centre as well as running several different ones in production so I can see the advantage for the moment, but they can pry my multi-purpose machines from cold dead hands when the time comes.

Feel like donating to me, Bitcoin; 1BASSxgFZ2j8VfXFrWJHNvYdQXDtJKAUuN or Ethererum; 0x2887D4B4fe1a7162D260CeA7E1131AF8926bd87F