Looks like Gadi Evron, security researcher from Israel CERT, a well-known botnet expert, and frequent presenter at DefCon, is quite pissed at GNR, the company behind .name top-level domain. Not sure what the story is, since their whois seems to work fine for me (that is, there’s no data available for most of the searches), but according to Wired, GNR is now charging $2 for 24-hour access to its whois database:
That’s $2 too much for security researcher Gadi Evron, one of the leading authorities on zombie computer networks. “What they have done is made sure the .name TLD is free haven for bad guys to lurk on,” Evron said. “If I need to report 1,000 domains, I’m not going pay $2,000.”
Not sure how it’s different from private registration of .com and .net domains, offered by many registrars. They won’t divulge the data either, unless subpoenaed, and theoretically a phishing site could just hide behind a more generic TLD with private registration.
I spent this weekend in Las Vegas attending DefCon 15. This year there weren’t as many announcements of 0-day exploits as last year, but nevertheless three days were information-packed, with 5 tracks on Friday and Saturday starting at 10 am and ending at 10 pm. On Sunday they did a half-day that ended at 4 pm, with 3 tracks of presentations. There were, of course, some pretty cool events, like a Dateline NBC undercover reporter Michelle Madigan being outed. Below are some of the memorable talks.
Q&A with Bruce Schneier. The secret to leading an effective life (Schneier is the top US cryptography expert, a frequent blogger, quote generator, and restaurant reviewer) is not to watch television. He was also able to travel to Vegas without an ID. Apparently if you just tell the airline agent that you’ve lost your ID (which could happen, and you don’t need to be stuck somewhere else waiting for your state to send you back your ID), they will give you a ticket with NO ID stamp on it, which gives you access to the boarding area. Also, Schneier doesn’t think the encryption algorithms will need to change a great deal in the future, because what we have right now seems to be more or less sufficient. When Feds need to get the information off somebody’s computer, they don’t ask NSA to break into 1024-bit encryption on his PC, they just install the keylogger and get the passphrase.
Steve Dunker enlightened the public on facts and myths about police arrests. In case a hypothetical arrest happens, they don’t necessarily need to read you your Miranda rights, contrary to what you might have seen in the latest action movie. They only need to do it if they intend to use what you said in the court, which in the case of an obvious crime, or witnesses being out there, is not necessary.
Founder of Shmoo group Bruce Potter spoke about the “dirty secrets” of the security industry in a packed room. Bruce is a pretty popular guy, and generally attracts crowds to his speeches. He had some good points about security industry lacking fundamentals. We spend billions on firewalls, intrusion detection systems, authentication systems, etc., without realizing that the underlying problem for all the security concerns is crappy code. The reason you need that expensive firewall or IDS is because you cannot trust the application that’s running within your organization to correctly deal with weird data inputs, network connections, injections, etc. If your app was golden, none of this additional spending would need to happen. Instead the responsibility for dealing with data securely is offloaded to a third-party.
Founder of DefCon Dark Tangent told the story of CiscoGate, speaking at his conference for the first time (unfair advantage being the reason he avoids speaking at DefCon). That was a pretty intense talk, complete with lawyers from both ISS and Cisco calling Jeff Moss regarding Mike Lynn’s talk at Black Hat conference, as well as Cisco hiring a brigade of temp workers to rip out the pages of Mike Lynn’s presentation from the book of papers that’s provided to the conference attendees.
Johnny Long’s talks are usually a highlight of any day he presents, and this time he didn’t disappoint. Low-tech hacking presentation was all about figuring out important information without doing anything high tech. Dumpster-diving, getting important information from people’s parking badges, taking pictures of badged employees and then reproducing the badges, or even misrepresenting yourself as an AT&T employee, who’s here to check the integrity of the phone network, with AT&T laminated badge and all. Apparently, the whole process of lamination convinces any representative of the human race that somehow you are now an official employee of the organization, whose logo you display on your badge.
Broward Horne presented an interesting technique of analyzing click fraud through some unorthodox means. IAmFacingForeclosure.com managed to generate tons of negative press towards it, being, as the Web site claimed, a blog of someone who invested too much money into subprime real estate, and now could not make his payments, waiting on the government to kick in abd bail him out. As one can imagine, this strategy generated quite a few of resented readers, and the traffic to blog rose. Broward Horne was doing two things at the same time - measuring the blog’s traffic through Alexa, and also linking to it with the right terms, so that his site would show up on Google result list in proximity to IamFacingForeclosure, and therefore he’d get some portion of the traffic, a bone off the master’s table. Strangely, none of this happened. Alexa graph, unreliable as it is, stayed the same, and even though IamFacingForeclosure’s site traffic was supposedly skyrocketing, the site placed close to it in the search engines received no traffic whatsoever. When both Google and Yahoo! kicked IAmFacingForeclosure off their AdSense and Publisher Network programs, it was obvious that the author was engaged in click fraud - generating high-priced real-estate and mortgage-related content, placing Google and Yahoo! text ads, and then relying on an army of bots to click through the ads, thereby generating substantial revenue for the site. Of course, once the idea is out there, it’s relatively easy to now train the bot to ping Alexa or Compete whenever they’re visiting a site, but the analysis via third-party means was quite interesting nonetheless.
Dan Kaminsky’s talk is usually oversubscribed, and the same happened this time - the gigantic conference room was packed, with people sitting on the floor, and with goons shooing them away due to notorious Fire Marshal concerns. Kaminsky was talking about a current IT security myth that claims that outside attackers cannot get to your internal network due to firewalls and what not. They can, however, present a Web site to the user, suggest a Java applet or Flash application on the Web site, have those applications be granted sufficient permissions by a user on your network, and then access pretty much anything the user has access to. The highlight of the presentation was rebinding the DNS for some popular domains out there. You don’t need to completely divert the DNS, you need only to insert one additional A record specifying that, for example, paypal.com lives not only on the IP addresses defined in their whois, but also your own server. Now, the multitude of IP addresses presented in the DNS record is accompanied by the fact that a browser would choose a random one from the selection available, every once in a while taking the user to your compromised server. Create an invisible iframe with your code, a visible frame with Paypal’s official Web site, and JavaScript’s single origin policy effectively allows you to read and write DOM data to and from any Web site out there.
Gadi Evron spoke about botnets. A Google search for C99Shell returns 5,700 results, and while some of those are discussing the C99Shell, some of the results are the sites that have been compromised, frequently through their upload tools, to host a shell that pretty much has access to anything that the Web server can access. Even when it doesn’t maliciously harm the host, it can be used to generate spam, host files, etc. The Register also reported on the session dedicated to malware marketplace. Gadi Evron also spoke the same evening on “cyber-war” between Russia and Estonia, that according to him, looked more like some vigilante activity than an organized government vs. government attack. Estonia is essentially leading the world in e-government initiatives, with a bunch of their government and financial transactions happening exclusively online. A political scandal related to removal of a Russian monument riled up Russians, who passed the messages through blogosphere (mostly Livejournal and forums), instructing everyone who’s feeling insulted by Estonians to run a ping on major Estonian servers. Gadi did not go into details of the attack, as he was interested mostly in defending. It’s also very alarming that the country was not prepared for such level of attacks, and there was essentially no emergency plan. There’s a little bit more information on Gadi’s blog.
Steve Topletz from Hacktivismo Project announced the release of XB Machine, a completely anonymous virtual machine that can live on a Mini-CD or USB drive and operates via Tor network. Perry also discussed the current architecture of XeroBank (formerly known as TorPark) and reasons behind commercial services that it offers - XeroBank runs its own network in countries with the right privacy legislation, and completely encrypts all browsing transactions, making it impossible even for them to identify you properly. There were other future-looking announcements, but since each one was preceded by “I am not supposed to talk about this”, I won’t go into much detail - XeroBank will release the news when they’re ready.
Daniel Peck & Ben Feinstein introduced CaffeineMonkey, a tool to identify and explore potentially malicious JavaScript. From the tool Web site: “One of the key components of this tool is that it is behavior based, not signature based. It identifies specific behaviors that are indicative of malicious code. Building on the work of several existing client honeypot implementations, their goal is to largely automate the painstaking work of malicious software collection. The focus is on attacks using JavaScript for obfuscation or exploitation.”
Rick Deacon this morning talked about flaws discovered at MySpace.com site, specifically the MYUSERINFO cookie is susceptible to being stolen and then authenticated against MySpace. There are tons of reports on Rick Deacon’s presentation on the news wires today, even though apparently disclosure to MySpace has been made, and the trick only works in older versions of Firefox. Even though at the beginning of presentation he claimed that it might impact quite a few people, you got to respect Firefox’s upgrade model - you basically have no choice but to upgrade, when they tell you to. The new version is downloaded and installed, and then is just waiting for you to restart the browser, bugging you in between.
Aviv Raff & Iftach Ian Amit this morning were able to inject a malicious JavaScript widget into iGoogle homepage, and if that widget is being located on the same page as Gmail widget, the malicious widget can read the data on the page, which limits to Gmail senders and subject lines currently. They also discussed a vulnerability for Live.com RSS reader, which Microsoft fixed upon disclosure, and Yahoo! widget vulnerability, which Yahoo! fixed as well. As a side note, most of the fixes resulted in changing one or two lines of code. I asked Raff and Amit regarding exploitability of the Facebook profile code, and they generally were unfamiliar with the site, but said that external JavaScript was the underlying platform for all of the security exploits, so FBML code pushed by the app developer to the profile is safe. ComputerWorld also attended a session on AJAX exploits.
Brendan O’Connor spends his time studying the underlying security of the banking industry, specifically, the online banking and bill payment services. One error in security in that field, and customer’s information is completely exposed, which combined with e-statements, tax forms, and electronic copies of the checks that current online banking services keep could have a rather dire impact on customer’s finances. Discoveries from the talk? All those images the banks display to you to prevent phishing are sourced from a single database with the primary key into that database displayed in the ALT field. Get an account with an online bank, go to online banking sign up, start choosing your images by moving through their gallery, and within a few minutes or hours, depending on your skills, you should have a complete database of images supposedly verifying that the site is not a phishing site. Also, the challenges presented from the public sources are not consistent, therefore if somebody tries to sign up as yourself at a banking site, the first time they will be asked to verify the car purchased in 1995 - was it a Toyota, Honda, Ford or none of the above. Choose to decline the challenge, come back a few days later and the challenge question will remain the same, with the answers now represented by Mitsubishi, Ford, General Motors or none of the above. Notice anything interesting? Ford is present in both of them, therefore giving a potential attacker right answers about your personal information.
I missed the lockpicking presentation this year, since it was time for me to head for the airport. There was also an interesting WiFi presentation compromising Gmail addresses (but from the description, looks like some other Webmail providers could be vulnerable as well), which I missed.
It’s a week past DefCon, but there’s still one presentation that I wanted to post about. It was one of the late ones, where one feels tired and exhausted, but the content was worth sticking for. Irby Thompson and Mathew Monroe from Lockheed Martin came with exploit and data hiding techniques, that would allow a Windows user to instantly increase available storage. For free.
Windows’ NTFS Master File Table (MFT) is not well documented or well understood, but it contains the map of all the files on NTFS. MFT contains the Windows metadata in a single location, and hence provides plenty of opportunities for data hiding. Each MFT entry header has two bytes reserved, each resident attribute for each entry in MFT has 4 bytes reserved, and the non-resident attributes of the MFT can have up to 14 bytes reserved. Consider how many files a typical Windows installation has, and we’ve suddenly got plenty of room for hiding data without creating any tracks or new files. It’s like magic - you place the data on the hard drive, and not a single byte of free space is wasted.
A clean Windows XP installation has over 12,000 files, a typical Windows XP system would have over 100,000 entries. The interesting thing about MFT is that it never shrinks. The researchers pointed out that about 60% of the MFT entries could be used for data hiding safely. Combine that with an average of 100,000 entries, and we get sweet 36,000,000 bytes, where the data could be safely hidden. Thompson and Monroe created slacker.exe, an application that takes a source data file and spreads it around MTF entries.
About 6,000 computer aficionados gathered at the annual three-day event in Las Vegas, which concluded Sunday. More than 500 contestants will have competed in capture the flag and 16 other Defcon games, considered a legal talent show for hackers — a way to show corporations, consumers and government agencies how vulnerable their networks are, without the risk of criminal prosecution or financial liabilities.
Can you be completely anonymous? Not while browsing the Internet, we know what Tor is for, but in real life. Johan Hybinette discussed this topic this morning at DefCon, pointing out various loopholes here and there that would allow one to gain complete anonymity.
First off, social security number. There’s no real way to get a fake one, except for manufacturing a fake card, but the government has a Web site, where one could verify social security numbers by last name. You have to be a US employer to gain access to the Web site. Faking one is close to impossible, since the number could be easily verified, and therefore an attacker would have to steal one. Stealing one is easier than one would think. Are you used to calling the bank and being asked for your social security number last four digits?
Last four digits couldn’t be too much, could it? After all, there’s 5 digits that the attacker still has to guess, and the possibilities range from 000-00 to 999-99. Not quite. The first three digits of the social security number are determined by the place that issues you the Social Security card. If you’re a native American, that’s the local Social Security administration at the time of birth. If you’re naturalized, it’s whatever office you used to get your original SSN.
What follows is the group #. The group # is those two digits following the SSN office number, and the infoirmation is available from Social Security Administration. Basically, the numbers range 00 to 99, and Social Security Administration is publishing a bulletin where it says, which group number it’s on right now. If you can estimate the victim’s age, you almost have the group number figured out, or at least guessed within a very close proximity. Get someone with access to SSA social security number verification site, and you can easily run a check of your best bets.
After that comes the passport. It’s extremely hard to gain a valid US passport, unless you’re an American, and therefore few people attempt it. However, if an attacker steals the identity of a valid SSN holder, getting a passport becomes a bit easier. Therefore, if you’re an American and you don’t have a passport, get it. Even if you don’t plan to travel, there’s a possibility that someone might abuse your identity just to get a passport. Beyond US passports, there’s a possibility of getting some other countries into helping you to create your fake identity.
Are you Jewish? Apply for Israeli citizenship. Are you Irish? You can apply for Irish citizenship and get a perfectly valid passport from Ireland? Have tons of cash? Argentina, Bahamas and some other country would be happy to issue you a passport of their own that they revoke frequently? Have some money but not a lot, and don’t intend to travel? Get a passport of Soviet Union, British Honduras, or another country that doesn’t exist anymore. Those passports are not good for travel, since the personnel is trained to spot them, but you can get a perfectly good bank account with those.
US birth certificates - hard to obtain, hard to use. Most of the attackers don’t try them. Some states, however, will renew a birth certificate if you claim it lost and provide a valid social security card and a driver’s license.
So what about driver’s license? Those are reasonably easy to get if you’re within the United States and don’t have any qualms about visiting your local DMV. However, after standing in line, being yelled at, and being exposed to people with pretty bad body odour condition, you can only get a license for yourself, so what’s the point of doing that?
There’re are always novelty driving license sites, if you do not intend to ever use the driving license in front of the government official such as cop, who can check the numbers against the database, those will work. However, frequently attackers would go against terminally ill or very old people, offering them some cash for turning over all the personal details (driver’s license, SSN, passport #, certificate of birth) and paying them not to submit the certificate of death. When the person goes away, living the very last days off attacker’s generous financial donation, an entire identity is up for grabs and becomes an extremely hot black market commodity.
Hybinette’s talk was both informative and disturbing, and some loopholes in the US legislature, such as the possibility of coming back to the country on an Irish passport (which is extremely easy to get as long as one of your ancestors can claim a drop of Irish blood) will be shut down.
SensePost presented Suru, a man in the middle proxy for testing Web applications for potential vulnerabilities. It allows you to sit in the middle of HTTP GET and POST request, modify the requests with regular expressions (to insert some single quotes, perhaps) as well as attach a fuzzing tool to the Web service requests. It also does some reconnaisance as you browse the site:
As you browse Suru automatically detects when a new directory is used (e.g. when the user surfed to http://abc_corp/abc/ the directory /abc/ is automatically searched). This means that, as the analyst is surfing the application Suru will learn more and more about the application and perform more in-depth discovery of the site.
Broward Horne is telling a story of disrupting SalesLogix back in the days of the dot-com boom by posting some pretty good satire on Yahoo! Finance message boards for SalesLogix. The talk is titled Meme Hacking – Subverting The IdeoSphere and talks about propagating information and manipulating opinions on the Internet. Not a whole lot of technical tips, mostly psychological.
Fuzzing seems to be the word of the day at DefCon. It’s a technique of evaluating the application by attaching a source of random data to it. The Wikipedia link points to the paper Fuzz Testing of Application Reliability. Want to do some fuzz testing? Just point a generator of random data at your application’s input.
Rick Wesson of Support Intelligence, LLC conducted extensive research of existing botnets. He spends his days looking up active botnets on the Web and penetrating those for research. Occasionally he would call the victims to tell them their identities have been compromised, and people would get mad, and he’d find himself on the receiving end of threats and frustrations, when he told the person their social security number and credit card information.
Chevron is one of the companies mentioned. Chevron’s corp network was compromised to send out large amounts of spam. Indeed, why would you bother with pesky home desktops, if you can compromise a large corp network hooked up to a T1.
the organizers keep reporting on dealing with hotel management, and whether or not the conference will be kicked out (fyi, Riviera is quite happy with DefCon attendees so far)
the early 10 am speaker brings helpings of beer to his talk just to help people who are hungover
Each MFT entry header has two bytes reserved, each resident attribute for each entry in MFT has 4 bytes reserved, and the non-resident attributes of the MFT can have up to 14 bytes reserved. Consider how many files a typical Windows installation has, and we’ve suddenly got plenty of room for hiding data without creating any tracks or new files. It’s like magic - you place the data on the hard drive, and not a single byte of free space is wasted.
Last four digits couldn’t be too much, could it? After all, there’s 5 digits that the attacker still has to guess, and the possibilities range from 000-00 to 999-99. Not quite. The first three digits of the social security number are determined by the place that issues you the Social Security card. If you’re a native American, that’s the local Social Security administration at the time of birth. If you’re naturalized, it’s whatever office you used to get your original SSN.
There’re are always