Irregular Expressions

November 27, 2010  12:38 AM

New ATM skimming in EU

Posted by: Dan O'Connor
atm, malware, mp3

This is some pretty creative stuff with a mp3 player although the link is kinda vague on any details about anything really.

The shimming attack also mentioned sounds very neat, but again a lack of details.

November 19, 2010  3:00 PM

Bruce Schneier on Cyber War

Posted by: Dan O'Connor
cyberwar, talks

I find his opinions on things very interesting and he has a habit of approaching things totally differently then a lot of other security guys and limits the sky is falling talk.

The link is a good 25 minute talk, worth listening to, or watching.

November 18, 2010  9:31 PM

Tips for cleaning out your gmail account after a compromise

Posted by: Dan O'Connor
gmail, gmail recovery, hack

The key to successfully recovering after any incident is having a plan.  This is why you need to understand good incident handeling procedures and practice!

It’s always best to have these steps written down, so here it is for your gmail account.

This is also a good reminder to ensure your account recovery settings are up to date, and make sure to include a SMS  number.

Unfortunately if you are not in your account when something like this happens you are already too late, once your password is reset it may take a while to regain access to it.

November 18, 2010  9:10 PM

Worst hire ever

Posted by: Dan O'Connor
FTC, hacker, link

I can understand why the FTC would want to have someone with this skill set, but looking into his past would make all sorts of alarm bells go off.

Even the stuff he pulled while working for them, I would have liked to have been around the conversations that the management was having after all those.  Even the conversations before he was hired and how the justification of the risk of hiring this guy and if he is the one they picked what the heck where the guys that they turned down.

November 16, 2010  12:22 AM

Googles Suspicious Connection Warning

Posted by: Dan O'Connor
gmail, google, java, osx, trojan

Well I know I have liked this in the past when I saw it fire off on myself when traveling.  At that time it seemed to have worked immediately.  I have always wondered if it would really work.

I can say for now that it does, but not as fast as I thought it would.

My account was access from an IP in China, looks like my wife picked up a trojan on her mac.  That in itself is full of awesome.

Good is not sharing multiple passwords across multiple sites.

Bad is having all of that account information in one place.

Lucky I was sitting on it right when it happened so I was able to stay logged in, log out all of the other sessions and change the password.

Lets not do that again.

November 13, 2010  2:27 AM

PDF Challange

Posted by: Dan O'Connor
game, pdf


Another challenge to do, I have been doing a lot of research in to exploiting with pdf’s so it’s nice timing for this.  I hope to have some information posted soon on what I have been doing and the results of my testing.

But I think I am going to have to stop that for a while to do this!

Good luck.

November 9, 2010  11:52 PM

The evolution of facebook click jacking

Posted by: Dan O'Connor
click jacking, clickjacking, facebook

How much further can click jacking in facebook go?

Right now the main ones that I have seen are working to either gather information (or just a prof of concept) and try to use a browser vulnerability on the redirected page to infect the host.

Another from the Sophos blog tries to get you on a monthly cell plan.

What else could you do?

What about harvesting facebook passwords?  What good is that, well I can’t say the number but I bet there is more people than not that use the same password for everything!  You could also use this in research with passwords and combine information such as what people do, age, work history, and geographical location to build a model for what kind of password they would use. Why not?

I could also see targeted spear fishing attacks with click jacking.

Sounds like something fun!

November 4, 2010  11:46 PM

SonicWall IPS evasion

Posted by: Dan O'Connor
dce rpc, dce rpc fragmentation, fragmentation, ips, ips evasion, metasploit, SonicWall, sonicwall ips evasion

Well this did work a few weeks ago.

Until a week or so ago, someone could use an IPS evasion module in Metasploit to pass attacks through a SonicWall.  This involved using DCE / RPC Fragmentation which fragments the packets during the NetBIOS session setup.

This has been known since at least 2006 ish when Snort implemented a dynamic pre-processor to handle this in it’s engine.  Several other UTM’s have the ability to detect this type of traffic, most of them based on the Snort pre-processor.

Last week I was successfully getting the ms10_061 passed the SonicWalls IPS engine and AV engine using the fragmentation.  I did not specifically chose the ms10_061, but it was in the list of top 10 blocked attacks on the dashboard.


It worked.

Turn off the Frag,



Right through like Jim Morrison.

I reported the issue to SonicWall and after a some debate there is a new signature.

October 29, 2010  12:10 AM

facebook session hijacking

Posted by: Dan O'Connor
facebook, hijack

I love it when people do all of the work for you.

Firesheep is a FireFox plugin to hijack FB session, it looks really good.

There is a slide show here

With a short demo.

Here is a shot of the capture running.

This will work with twitter, facebook, and google.

Anything that does not keep an SSL connection is in trouble.  So far it will support Windows and OSX but you need the PCAP libs installed for it to work.

Remember on Windows thats LibPCAP.


October 28, 2010  11:46 PM

Adobe 0-Day

Posted by: Dan O'Connor
0-day, adobe, exploits, nist

Not that this is anything special, its the remediation steps that caught my eye. Also the number of platforms affected.

Just delete the lib!

Adobe Reader and Acrobat 9.x - Windows
          Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and
          Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable
          crash or error message when opening a PDF file that contains Flash (SWF) content.
The authplay.dll that ships with Adobe Reader and Acrobat 9.x
 for Windows is typically located at C:\Program Files\Adobe\Reader
9.0\Reader\authplay.dll for Adobe Reader or C:\Program
Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll for Acrobat.
Adobe Reader 9.x - Macintosh 
          1) Go to the Applications->Adobe Reader 9 folder.
2) Right Click on Adobe Reader.
3) Select Show Package Contents.
4) Go to the Contents->Frameworks folder.
          5) Delete or move the AuthPlayLib.bundle file.
Acrobat Pro 9.x - Macintosh
          1) Go to the Applications->Adobe Acrobat 9 Pro folder.
2) Right Click on Adobe Acrobat Pro.
3) Select Show Package Contents.
4) Go to the Contents->Frameworks folder.
          5) Delete or move the AuthPlayLib.bundle file.
Adobe Reader 9.x - UNIX 
          1) Go to installation location of Reader (typically a folder named Adobe).
          2) Within it browse to Reader9/Reader/intellinux/lib/ (for Linux) or Reader9/Reader/intelsolaris/lib/ (for Solaris).
        3) Remove the library named ""

NIST has a little more information.

I really just want to know what the purpose of the DLL file is, but that seems to be hard to find.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: