[SecurityRatty] tag: unleash

Researchers unleash DNS attack code

Thu, 24 Jul 2008 09:00:00 +0000

Security researchers have released attack code that can silently redirect users to unintended sites using a critical flaw in the Internet's Domain Name System.

Chinese Cyber Attacks

Mon, 14 Jul 2008 03:08:18 +0000

The popular media conception is that there is a coordinated attempt by the Chinese government to hack into U.S. computers -- military, government corporate -- and steal secrets. The truth is a lot more complicated. There certainly is a lot of hacking coming out of China. Any company that does security monitoring sees it all the time. These hacker groups seem not to be working for the Chinese government. They don't seem to be coordinated by the Chinese military. They're basically young, male, patriotic Chinese citizens, trying to demonstrate that they're just as good as everyone else. As well as the American networks the media likes to talk about, their targets also include pro-Tibet, pro-Taiwan, Falun Gong and pro-Uyghur sites. The hackers are in this for two reasons: fame and glory, and an attempt to make a living. The fame and glory comes from their nationalistic goals. Some of these hackers are heroes in China. They're upholding the country's honor against both anti-Chinese forces like the pro-Tibet movement and larger forces like the United States. And the money comes from several sources. The groups sell owned computers, malware services, and data they steal on the black market. They sell hacker tools and videos to others wanting to play. They even sell T-shirts, hats and other merchandise on their Web sites. This is not to say that the Chinese military ignores the hacker groups within their country. Certainly the Chinese government knows the leaders of the hacker movement and chooses to look the other way. They probably buy stolen intelligence from these hackers. They probably recruit for their own organizations from this self-selecting pool of experienced hacking experts. They certainly learn from the hackers. And some of the hackers are good. Over the years, they have become more sophisticated in both tools and techniques. They're stealthy. They do good network reconnaissance. My guess is what the Pentagon thinks is the problem is only a small percentage of the actual problem. And they discover their own vulnerabilities. Earlier this year, one security company noticed a unique attack against a pro-Tibet organization. That same attack was also used two weeks earlier against a large multinational defense contractor. They also hoard vulnerabilities. During the 1999 conflict over the two-states theory conflict, in a heated exchange with a group of Taiwanese hackers, one Chinese group threatened to unleash multiple stockpiled worms at once. There was no reason to disbelieve this threat. If anything, the fact that these groups aren't being run by the Chinese government makes the problem worse. Without central political coordination, they're likely to take more risks, do more stupid things and generally ignore the political fallout of their actions. In this regard, they're more like a non-state actor. So while I'm perfectly happy that the U.S. government is using the threat of Chinese hacking as an impetus to get their own cybersecurity in order, and I hope they succeed, I also hope that the U.S. government recognizes that these groups are not acting under the direction of the Chinese military and doesn't treat their actions as officially approved by the Chinese government. This essay originally appeared on the Discovery Channel website.

Q&A: Iowa's tragic lesson in business continuity

Wed, 09 Jul 2008 09:00:00 +0000

Deb Hale, security administrator at Iowa-based telecommunications provider Long Lines, discusses the most important things a company can do to survive what Mother Nature decides to unleash.

Dilbert Does Canonicalization

Mon, 05 May 2008 08:03:32 +0000

I was checking out the “new and improved” Dilbert website a few minutes ago, checking out some of the new features and lamenting the overzealous use of Flash. One new feature is called “Mashups.” Naturally, you’d assume that this was some fancy Web 2.0 API that one might use to create a “killer app” combining Google Maps, Twitter, traffic delays, police reports, and Dilbert comics, all neatly packaged up as a privacy-invading Facebook plugin. Sorry, no such luck. “Mashups” turns out to be a way for readers to unleash their inner comedian and create customized punch lines for the daily comic, which can then be voted on by others. For example, here are the mashups from the May 3rd comic.

Below is a screenshot of some of the user-generated comics that can be viewed. I’ve magnified the last pane of one of the strips using Flash’s “Zoom In” feature. Notice anything interesting?

Yep, it’s our old friend URL encoding, commonly used by web browsers to include non-alphanumeric characters into an HTTP request. Just interpret the %XX as a hex number, so %20 is the space character (decimal 32), %21 is an exclamation point (decimal 33) and so on. But why is it showing up in a Dilbert mashups?

My first thought was that someone must be poking around the Dilbert site looking for security holes. But then I noticed that it wasn’t just the one strip; a lot of them had the same problem. And it seemed unlikely that there were that many security-minded people messing with the site relative to the rest of the cubicle dwellers trying to come up with funny things for Dilbert to say.

My next thought was just that some developer just forgot to call urlDecode() — or whatever the Flash equivalent is — on the user-supplied punch line. Except that’s an oversimplication because: 1) it doesn’t happen on every strip, 2) the web server usually strips off the first layer of URL encoding so the backend wouldn’t see it unless it was double encoded (e.g. %2520), and 3) if you click on one of the thumbnail comics with the URL encoding anomaly, the full-size rendered version of the comic looks fine:

So clearly the “preview” code and the “full-size render” code are doing slightly different things with the same data, which may or may not have been properly decoded prior to being inserted into the database.

Any thoughts, readers? The pen tester in me wants to get to the bottom of this, but unlike some of the web app security people out there, I tend to be more conservative about hacking stuff without a signed contract. Also, I don’t think I can stand to read any more un-funny punch lines. But my gut tells me there is something fairly interesting going on behind the scenes here.

Oh finally, here’s a tip from Scott Adams himself on avoiding the Flash navigation and viewing the daily comic as a plain ol’ GIF.

Wee-Fi: Mesh in Devices, Florida-Fi, Minneapolis-Fi, LA No-Fi, Harbor-Fi, Parade-Fi

Mon, 28 Apr 2008 09:09:58 +0000

Out-of-sight, out-of-mesh: PacketHop announces first 802.11s mesh standard products based on the likely-to-be-approved current draft. The mesh standard is about endpoints, and I'd entirely lost track of it; it has nothing to do with how metro-scale devices mesh way up on poles. 802.11s mesh should allow end-point devices to form their own loose associations, which could improve throughput and range across parts of a network. Latency increases when you have a mesh network, because devices require more hops to reach a gateway, but depending on how smart meshes are about tokens and limiting power, they can exchange data at higher speeds among themselves without a central chokepoint. PacketHop, acquired by SRI International, is offering their technology as something hardware makers can integrate, rather than as a set of chips or a reference product.

Stalled-Fi in Florida: The Sun Sentinal newspaper looks at stalled, dropped efforts at city-wide Wi-Fi in Palm Beach County. Boynton Beach had a network early on, in 2005, but the city dropped the operator in March 31 due to complaints over maintenance. Delray Beach (E-Path) and West Palm Beach haven't advanced.

Minneapolis Wi-Fi requires booster for best use: This isn't an enormous surprise, or anything, and one of the consultants on the Minneapolis project said that USI Wireless starts with the notion that a booster is needed, which is highly sensible. Reporter Steve Alexander found service was highly variable outdoors with a standard laptop Wi-Fi adapter. The company sells boosters: a $160 high-gain laptop card and an $80 ($5/mo rental) home bridge. Alexander didn't re-test problem areas with the high-gain card. You can see the map of Alexander's test locations.

Orange Line in Los Angeles can't attract Wi-Fi operator: A spokesperson suggested riders should take advantage of "existing satellite" providers, where I think he'll be red-faced to know he should have said cellular. Or the reporter misheard. Say satellite and cellular each ten times fast. Now drink a glass of water.

Scarborough (Yorkshire Coast, UK) offers free Wi-Fi: 5.5m visitors pass through this coastal town each year, and a local business association has decided to unleash free Wi-Fi. The service will be pointed outwards for boats in the harbor, as well as inland.

Free Wi-Fi float in Sebastopol parade: The Apple Blossom Festival Parade last Saturday included "a fluorescent and sparkle-clad crew that shouted, 'Free Wi-Fi.' " The parade was led by a 1906 San Francisco Earthquake survivor.

FaxBox: the latest in password scams

Mon, 07 Jan 2008 15:09:34 +0000

Looks like spammers have found yet another way to worm (ha ha) themselves into the computers of the unsuspecting. In my junk email folder this morning, I saw this message:

From: Question It [mailto:question_it@fanboxapps.com]
Sent: Monday, January 07, 2008 2:34
To: Steve Riley
Subject: Ratul has asked you a question on FanBox

Ratul asked you a question. View the question and answer it.
FanBox.com is the web-based desktop that instantly turns every computer into your computer. It includes over 10,000 web applications and games to choose from, including the Question It application.
This email was sent by Ratul while using the Question It application on FanBox. Go here to learn more or stop receiving emails from friends using Question It. FanBox: 255 G Street #723, San Diego, CA 92101, USA

For most of the well-known marketing profiling--oops, I mean social networking--sites, I've enrolled my email addresses in their opt-out mechanisms (I simply don't care about LinkedIn, Plaxo, Facebook, MySpace, and so on). But this one seemed suspicious. I don't know anyone named Ratul, and everyone who wants to ask me questions certainly knows my email address. It raised my bullshit detector.

So after a bit of foraging I found this: http://spamhuntress.com/2007/12/15/smsac-turns-into-fanbox/. Seems like the company running FaxBox got in trouble for doing this crap once before. Funny, isn't it, how you can just change your name and suddenly all your past sins evaporate! Well, not on the Internet, apparently. Your past sins can and do come back to haunt you.

When you sign up for FaxBox, they ask for your permission to email everyone in your address book (FanBox knows how to talk to most webmail systems). To do this, of course, FanBox needs your password. Most people, sigh, willingly supply their passwords to any seemingly innocuous service. We all know that these services really are vile disgusting filth, the very embodiment of whatever nefarious supreme being you now strongly wish would unleash itself on FaxBox and their ilk.

So in this case, I'm certainly not going to click on the link to stop receiving more emails. Rather, I'll put fanbox.com, fanboxapps.com, and while I'm at it, sms.ac in my blocked senders list. I recommend you do the same, and get the word out to your friends, too. FanBox--and anyone else who asks for your password--is evil, eeeeeevil I say.