(Source: http://zecura.com/Whitepapers.html)

“Log Management”, “SIEM”, “Correlation”, “Incident Management”, more and more organizations have a SIEM project in the pipe. SIEM means “Security Incident & Event Management“. Just to remind you, a SIEM is a set of tools which helps to collect and analyze logs from several sources on a corporate network. Basic functions of a SIEM are:

• Event collection;
• Normalization;
• Indexation;
• Analyze.

There are two ways to jump into the SIEM world: Some organizations are forced to deploy a SIEM solution to reach compliance requirements and others are starting a project in a due diligence and due care way.

At the moment, I’m involved in several SIEM projects (starting from pre-sales, proof-of-concept and real deployment) and I’m always a bit afraid of what customers will ask to me or what they expect from their SIEM solution. First of all, a SIEM is not a simply tool deployed on a network. It will not “automagically” work out-of-the-box. a SIEM is a project. I always split the project into three major phases:

• Collecting the events
• Analyze the events (getting their real value)
• Maintenance

The first phase (”collection”) is almost the same in all projects. It is sub-divided in several major steps like:

• Define which events must be collected and from which devices.
• Design the architecture to collect events in the best way to keep a good balance between security and performance.
• Deploy the SIEM components (agents, collectors, storage, etc)

About the event collection, let me insist in an important point. To reduce storage requirements, some filters may be defined to keep only relevant information. Always keep in mind that an event received at time “x” may seem worthless but may be really valuable in the future when you’ll have to investigate a security incident at time “x+y”.

The above steps are independent of the chosen SIEM solution. It is definitively not my goal to promote one solution or another one here. If you’d like to discuss about specific tools, contact me.

Now that your SIEM is up’n'running and collecting a lot of events from your infrastructure, it’s time to get the real value of them. Like any tool, a SIEM must be used in the right way. You won’t use a hammer to remove a screw! Things will become more complicated. If your organization implemented a SIEM solution in a pure compliance way, all SIEM vendors provide out-of-the-box “packages” to generate alerts and reports based on the compliance requirements. All standards like PCI-DSS, SOX, HIPAA and all their friends are supported.

Along with compliance needs, things will become more complicated for the consultant. He must carefully listen to the customer and analyze the organization business to help them to extract the right value from the (huge!) amount of collected data. Another consultant’s goal is to train the customer how to use his brand new toolbox. It is impossible to replace the customer. He can at most help to use the tool in the best way. All implementation differ starting from the second step of the project.

A few words about “correlation”. Do you really need it? In a SIEM context, correlation rules triggers actions (alerts, scripts, etc) based on the way events generated by one or more devices occurred in a specific order with or without time constraints. Correlation is a complex process and the rules definition may require a lot of time (definition, test, debugging). Before deploying correlation rules, you must be assured of the quality of the collected events. Often log management tools already propose powerful alerting features and correlation is not mandatory but may help the organization which is facing a precise operational issue.

Finally, the last step is to define all the mandatory procedures to keep the SIEM environment update and powerful:

• Incident management procedures: how to process alerts generated by the SIEM.
• Change management procedures: configuration of new devices and applications to send events to the SIEM and decommissioning of all old components.
• Assets management procedures: plus-value can be added on events by running vulnerability scanners or linking to an online vulnerability database.

Conclusion: Before implementing a SIEM, you must have clearly identified needs! Define a scope and stick to it during the whole project. The “KISS” principle (”Keep It Simple and Stupid“) is a golden rule! Collect events from a limited number of devices (ex: a public DMZ). The deployment will be a success if the SIEM is able to improve your daily operations: Reduction of time required to investigate incidents or immediate notification in case of suspicious activity. Even if a SIEM is a based on highly technical tools, it remains a business tool. Its ROI (”Return On Investment“) must be proven to the management.

It was announced a few days ago: Microsoft COFEE has been leaked on the wild Internet! Microsoft COFEE stands for “Computer Online Forensic Evidence Extractor“. This “forensic swiss army knife” is available for free to police forces around the world to conduct official forensics investigations.

Note: It’s reportedly illegal for unauthorized people to download and use this software.

Microsoft already communicated on this issue and does not seem bothered.

COFEE is based on three components:

• A GUI interface for the investigator,
• The command‐line application to be executed on the target machine,
• The individual tools which are managed by COFEE and the command‐line application.

The software is very easy to use. The first step is to create an USB drive which will grab evidences from the target system. A GUI helps you to create your USB image with all the required tools to perform the investigations in a fully automated way. The procedure is based on profiles (pre-defined or manually created). Each profile defines which tool will be executed and with which options (flags). A lot of tools are pre-configured and your own tools can be easily added.

Next step, the freshly generated USB drive can be inserted into the target computer. It will execute the predefined scenario (depending on the chosen profile) and save all useful data on the USB drive.

Once this operation done, the last step is to come back to the computer running the GUI, reinsert the USB drive which now contains potential evidences and generate the report. The result is a XML file!

Honestly, this software is not a revolution! Compatible with Windows XP only, it just compiles a cool list of command line tools (well known by system administrators) and allows low-level investigators to easily grad data from suspicious computers in a few minutes. But the creation of profile for the USB drive may require more knowledge (investigators have to know what to search and where).

Here’s some Python code (it uses my mPDF module) to append a new PDF document to an existing PDF document to “hide” the original document. Recovering the original is trivial, you open the PDF document with a HEX-editor and delete the appended document (starting after the second %%EOF counting from the end of the file). This trick uses incremental updates.

#!/usr/bin/python __description__ = 'make-pdf-hide-original, use it to "hide" the original PDF document'
__author__ = 'Didier Stevens'
__version__ = '0.0.1'
__date__ = '2009/11/07' """
Source code put in public domain by Didier Stevens, no Copyright
https://DidierStevens.com
Use at your own risk History: 2009/11/07: start Todo: """ import mPDF
import time
import zlib
import optparse def Main(): oParser = optparse.OptionParser(usage='usage: %prog [options] pdf-file\n' + __description__, version='%prog ' + __version__) oParser.add_option('-s', '--line', default='Hello World', help='The line of text to print on the screen (default Hello World') (options, args) = oParser.parse_args() if len(args) != 1: oParser.print_help() print '' print ' %s' % __description__ print ' Source code put in the public domain by Didier Stevens, no Copyright' print ' Use at your own risk' print ' https://DidierStevens.com' else: pdffile = args[0] oPDF = mPDF.cPDF(pdffile) oPDF.template1() oPDF.stream(5, 0, 'BT /F1 24 Tf 100 700 Td (%s) Tj ET' % options.line) oPDF.xrefAndTrailer('1 0 R') if __name__ == '__main__': Main()

As I’m sitting here in the lobby of the Kempinski hotel I’m still figuring out what happened here in Wuxi. Jayson Street and Ming Zhou took on the challenge to organize the first real hacker/infosec conference in China and did they succeed? Yes, they did.

With a good presence of international security people like Ian Amit, Chris Nickerson, Adam Laurie, Nathan Hamiel, FX and plenty plenty more good content was assured and the outturn was pretty awesome too for a first edition in a place where this kind of conferences is not commonplace (yet).

On a personal level, I’ve made a ton of new friends and engaged in some pretty good debate about information security …

I’ll probably write more later as I’m still a little dazed and confused from what happened but that’s a good thing !

Wuxi and Excaliburcon rocked, watch out for the coming editions of this awesome conference !!

I’m looking forward to meeting up with some pals I made at Brucon and meeting some new people … and for me, after exactly 10 years, it’s a blast to finally be able to visit one of the countries I love the most on this planet (don’t try to get me into political discussions, that’s a whole different story).

Anyway … I’m off, will keep you updated whenever possible OR post a recap when it’s over.

再见

EuroTrashSecurity goes live for the first episode!

The story is quite simple: a bunch of European security professionals thought there was not enough information about the security landscape in Europe. There are already plenty of excellent security podcasts but all of them lack of stories happening on the old continent. They decided to start their own podcast focused on Europe. EuroTrashSecurity was born!

The first episode was released yesterday and, honestly, rocks for a first one! They expect to release one episode a month. Keep up the good work guys!

Link: EuroTrashSecurity episodes.

The Extensible Metadata Platform is an Adobe standard to represent metadata with XML.

More than a year ago, I added an XML-bomb to XMP-data inside a PDF document:

As this made Adobe Reader 8 & 9 crash, I reported it to Adobe. It has been fixed with the last patch cycle.

Why do I disclose the details of this vulnerability? Because XMP is not only intended to be used in PDF documents, but many other file formats. So be sure to check your software for this vulnerability.

First up, there are no stupid questions. Where would I earn the right to feel high and mighty because I know more about networks than you? There’s another million things I don’t know shit about. To go even farther, I probably learned more from this conversation than you

Here’s my view of the (old school) DMZ.

What is a DMZ ?

The name DMZ comes from the military term, Demilitarized Zone, we only wanted to have it’s proper TLA (Three Letter Acronym) so it would sound cooler. In the military, the DMZ is a pretty dangerous place to be. Best case you have guns pointing at you from both sides, worst case they’re shooting you to smithereens.

On a network, we create a DMZ to locate components that will interact with users or machines that are in an untrusted zone. Why ? Because the risk that these components are compromised is much bigger and if they would be in our trusted (internal) network, the havoc when it happened would be immense. The DMZ gives us control over the traffic that is allowed to and from the boxes, from both sides.

Option 1 : the multihomed firewall

In my humble opinion, a good SMB or branch office solution. Assuming you don’t have to much internet-facing services. We set up one interface of the firewall for internet access, one interface connects to our DMZ and the third one connects to our LAN. The rule of thumb here is to tightly control access from the internet to our (blue) box in the DMZ, make sure no access from the DMZ box to the internal network is allowed and strictly control access from the LAN to the box in the DMZ.

Option 2 : back to back firewalls

You have extensive needs for internet facing services and you have a budget too? Good ! Back to back firewalls give you a lot more flexibility. In the drawing I’ve created an internal and an external DMZ. Your webserver (the blue box) is in the external DMZ and you control access from the internet tightly. Access to this server from the LAN is extremly limited (ssh only, maybe even from a management LAN?). You might have noticed the orange server in the internal DMZ. Imagine that your webserver needs to present data from an internal database? Your worst decision might be to have the webserver connect directly to your internal database. So we set up a database server in a seperate subnet and replicate a (read-only) subset of our database, containing only the data we actually need, to this server. Again, the proof of the pudding is in the tasting. You are going to limit access between any of the subnets to only that what is strictly needed to get the job done ! And even then you are reviewing this on a periodic basis.

Option 3 : Don’t try this at home

I hope you noticed what is wrong here. You have put your server in the DMZ but also added a secondary interface that is connected directly to your LAN. This is a recipe for disaster. Sure, it’s easy to work with but by doing this you are connecting an untrusted zone with a trusted zone and bypassing your firewall in one go. Any pwnage of the server will result in pwnage of your entire internal network. It even hurt my eyes to draw this option. Let’s move on !

Option 4 : A special case

This is a scenario that is well-suited for a web application firewall (but not the best solution !). Assume that incoming traffic is encrypted (HTTPS over TCP/443) and traffic to the server behind the WAF is not encrypted. SSL termination is on the WAF. If we would implement scenario one, we would have unencrypted traffic travelling over an untrusted network, the same DMZ link. If someone would breach our DMZ, it would be trivial to snoop in on that traffic. To avoid this, we create a secondary DMZ. Thus we have an external DMZ where our encrypted traffic flows and another DMZ where the unencrypted traffic flows.

Again, the key is to control access to any machine on any network controlled by you. And check on it !

Note :

This is a very rudimentary overview of DMZ setups. I’m sure you can find more elaborate versions somewhere on the internet, but I didn’t want to disappoint you The rest of the discussion, we will continue over a few good beers.

It’s Halloween!

A security company developing antivirus solutions launched a cool propaganda related to the Halloween topic (monsters, zombies, etc): The “Kill-A-Zombie” day!

Every computer not properly protected has chances risks to become a “zombie” and be part of a botnet. Security awareness campaign are always good initiatives. What could you do to kill a zombie? Use an antivirus and keep its signatures updated. Keep your operating system and applications patched. Run a firewall and, maybe the most important: be wary and don’t fall into the “clickmania”!

Official site here.

We started with Ilja van Sprundel who talked about exploiting Delphi/Object Pascal. Applications written in Delphi are not often targets of attacks but interesting stuff can also be performed on them. That was the project presented by Ilja. Like all other languages, Delphi is vulnerable! Like in “C”, overflows, stack and head are a great way to make attacks. Once again, several calc.exe spawned from nowhere. How to mitigate? Compiler settings: Range-checking, overflow checking, By default, Delphi is not a ’safe’ language. According to the speaker, they are a lot of vulnerable Delphi applications still in use.

Followed “Ownage 2.0″, presented by Saumil Shah. Saumil explained “how to own the world one desktop at a time”. The steps are: evolution, attack the eco-system, mass manufacture and 1+1+1+… Softwares are more and more complex and more bugs are introduced by developers who make mistakes. Users awareness is very important. Saumil gave a nice definition: “users are made to click”. The surface attack today is composed of Office documents, PDF, browsers (all of them) and helpers (Flash, Java, Quicktime, …) To prove this, let’s have a look at a typical user browser:

Click to enlarge

The next topic was IpMorph or Unification of OS fingerprinting defeating presented by Guillaume Prigent and Florian Vichot from Diateam. They presented their work during FRHACK. The philosophy of this project could be “to live happy, live hidden”. Basically, IpMorph is able to make a Linux workstation being detected by a scanned as almost everything else). To develop the tool, Guillaume & Florian required a deep knowledge of other tools like nmap (know your enemy!). Some demos (recorded videos) where presented:

Click to enlarge

Some tricks for defeating SSL in practice by Moxie Marlinspike. Like said Saumil: “users just click!”. Moxie explained the story of SSL and the major issues encountered years after years. Then, he presented his own tools: sslsniff & sslstrip. He explained how he performed a nice attack on SSL websites using a certificate containing a null-character (like “www.paypal.com\0thoughtcrime.org”). Scaring: lot of websites use locks pictures on their pages or even as favicon. By using sslstrip, it’s almost impossible for the end-users to know if he’s surfing a safe or unsafe site. By the way, yesterday, I was listening to the radio, I still eared that surfing on site with “https://” and a closed lock is safe… Moxie explained how the certificate revocation issue was disabled by defeating the OSCP protocol (”3″ is the key number Finally, Moxies explained how softwares like Firefox or Thunderbird are performing their updates and how easy is it to fake them and why not force them to download false patches.

Just after the lunch, an auction was organized by syn2cat.lu. The next talk explained how to play with satellites environment (Christian Martorella). A satellite is a radio-frequency repeater. They are classified by their orbit and their functionalities (communication, GPS, …). The talk focused on DVB (Digital Video broadcast). Then Christian explained how to find DVB feeds? By using a DVB card (easily found on eBay), It’s possible to scan for feeds and attach a network interface to the feed found. Once done, wireshark can be used to sniff the traffic coming from the satellite. What are the types of attacks: DNS spoofing, TCP hijacking or attacking GRE (13% of the traffic on satellite is GRE traffic). He also showed how to make anonymous connections.

The next talk was about “Forensic and anti forensic enhancement with a HVM virtual monitor” by Adrien Derock. When I read the description of the talk, it looked interesting but the speaker gave too much theoretical slides (full of formulas) for a Friday afternoon at the end of the conference. I completely skipped this one…

Finally, the talk “When E.T. comes into Windows Mobile 6″ closed the conference. Cédric Halbronn explained how the Windows Mobile operating system can be the target of attacks. This OS is a major player on the PDA market and is a nice target for hackers. The goal was to build a rootkit for WM6 with the environment constraints (embedded, mobile, services on the table). Cédric started with some technical aspects of WM6: 4GB of addressable memory (2GB for kernel space and 2GB for user space). Max 32 process with 32 MB mem/process, etc. Security policies are stored in the registry “[HKLM\Security\Policies\Pollicies]” and easily accessible. Injection of the rootkit can be done via physical access, MMS (vulnerability in WM2003) or WAP push msg. The rootkit persistence is achieved via registry, \windows\startup or create a service. Unsigned application can be hidden (no warning to the user!) via the registry or… just add your own certificate in the privileged store!
Regarding the processes, you don’t need to hide yours: when a process has no window, hidden by default in the task manager. Worse, if you put the process name to NULL, it will be hidden in the process list! The installed backdoor is available via TCP/IP using one of the data network available (GPRS, 3G, Wifi or ActiveSync). Live demo using the backdoor webcontrol (web based tool): Cédric grabbed the emails from the target modile. To wake up a sleeping device, the attacker can send a sms to force the device to connect to the control center (always without intrusive message). Future possible enhancements? To take pictures, to use the microphone, tapping, ..

That’s all for this edition of hack.lu. As usual, interesting talks, I met a lot of people (some always known as others new) and had very constructive talks. See you next year I hope!

A spokesman for the company told their users on the television news today that there was nothing to worry about. They closed the website that hosted the compromised accounts within one minute (yeah right …) and changed the passwords of all the published accounts. Additionally he pointed out that the hacker is commiting criminal acts and anybody trying to use the accounts can be prosecuted also. Hence there is no issue for the customers.

STOP.RIGHT.THERE

Since the police is aware of the issue, this is no longer a problem for the customers? Excuse me but these accounts can be used to create self-service accounts that give access to my billing history. They can be used to surf the wireless access points from the same ISP in coffee-shops and public places. Apart from that, I should assume that the attacker has full access to my modem and might even be able to install MITM software to capture other personal and private data. Downplaying this attack doesn’t work here. You should own up and find out what the hell is allowing this adversary to get into these modems and either upgrade them OR replace them for free.

You supplied faulty products, your job now is to get in contact with the customers that have these devices and assure that their personal information is safe.

Commercial Solutions Products.

Considering you are looking for a CMS, you are looking for specific functionality. How can I bring the content that I want to communicate to my target audience as efficiently as possible. Choosing a commercial product will end up in a classic trade-off. You will choose a product that hopefully covers 100% of your needs, most of the time though it will include functionality that you don’t and never will need. Worst case scenario is that you have to choose a product that only covers 60 to 80% of your needs and all you can do is hoping that the roadmap the vendor presented to you will be respected. From a security point of view, you rely on the vendor to provide you a secure product and to up-to-date in case a hole is ever poked into it. Chances that this will happen are … high.Disabling or removing the functionality you don’t need is rarely an option so in fact this might prove to be an extra headache from a security point of view. We’ll assign the total cost of building a solution on COTS Software an initial value of 10. We all know what happens with commercial products and security … you can go and pray that it will never happen, but in the end it will … and you are laying your fate in the hands of a commercial third party that you can only hope has a proper response in case a breach occurs.

Prorietary Solution.

There is something to say for making your own CMS. You will, in the end, have a solution that fits 100% of your needs and you can start with a Secure Development Lifecycle from the get-go. This is assuming that you find security-aware software architects and developers. If you don’t find them, you’ll have to train them and hope that once they have the knowledge they don’t jump ship to go work for another employer that promises a bigger paycheck. Roberts claim that this proprietary solution is more secure because The White House owns and controls the code falls apart right here. There still is no mind-erasing software to apply to people leaving your company. Assuming you have the proper resources to monitor the site and respond to attacks. The total cost of the solution, including the development from scratch will be at least 1,5 times as high as the commercial solution and still it is not 100% watertight. Or are you gonna send the cops after each IP that visits your site with a funky agent string or performs a wget -r ? I didn’t think so either …

And then we aren’t mentioning frameworks … those are rarely (if ever) proprietary.

Free Open Source Software.

So … you’re still looking for that CMS and you just received the offers from the commercial vendors. Just buying the product will cost you an arm and a leg and then the modification and implementation still has to start. Then there’s FOSS, you can download the source of the software and build your own CMS on it. Getting the software won’t cost you a dime, adding features and functionality will cost you the same per day as the proprietary solution. Given that 80% of the functionality is already their, I would rather have those gifted architects and developers perusing the code that already exist and making it better than writing new code from scratch. If they are that gifted that they could presumably build an unbreakable CMS from scratch, I would assume they could make an existing CMS unbreakable too. The best side of this approach is that you have much more of your budget left to spend on security than in either of the above solutions.

The Conclusion.

Were you trying to tell me that the Mac-loving über-geeks at The White House couldn’t be arsed about security when they chose Drupal as their CMS for whitehouse.gov ? I beg to differ. You can bet on it that the Drupal they will use will be very different from the Drupal you can download. They knew that they didn’t want to reinvent the wheel (proprietary solution) and they didn’t want to put all their eggs in one basket (COTS). Instead they chose a free and open source products to build a solution that fits their functionality and security needs. In my humble opinion … not a bad choice at all.

In search of a new trick for that Windows 7 Launch Party you’re invited to?

Here’s one:

You can download a beta version of my UserAssist tool here. Soon I’ll be posting a final version with details and source code.

I’ve updated my WhoAmI? Firefox add-on for Firefox version 3.5.

You can download it here or get it from the Mozilla site. I’ve nominated it to leave the Sandbox. If you use it, please post a review on the Mozilla page to help it on its way out of the the Sandbox (or keep it there if it’s too buggy).

PDFiD is updated to detect the latest Adobe 0day, CVE-2009-3459.

I’ll provide more details in an upcoming post, just now for know that PDFiD detects a /Colors name followed by a very big number (larger than 2^24 or 16777216).

You can download PDFiD here.

Topics covered in this issue:

- Using real-time events to drive your network scans
- Review: Data Locker
- The Nmap project: Open source with style
- Enterprise effectiveness of digital certificates: Are they ready for prime-time?
- A look at geolocation, URL shortening and top Twitter threats
- How “fake stuff” can make you more secure
- Making clouds secure
- Q&A: Dr. Herbert Thompson on security ROI and RSA Conference
- Book review – Cyber Crime Fighters: Tales from the Trenches
- Top 5 myths about wireless protection
- Securing the foundation of IT systems
- A layered approach to making your Web application a safer environment
- In mashups we trust?
- Adopting the security best practice of least privilege
- Is your data recovery provider a data security problem?
- New strategies for establishing a comprehensive lifetime data protection program
- Security for multi-enterprise applications
- EU data breach notification proposals: How will your business be affected?
- Book review – 97 Things Every Software Architect Should Know
- Safety in the cloud: How CIOs can ensure the safety of their data as they migrate to cloud applications
- Vulnerability management

http://www.net-security.org/insecuremag.php

SLP (System-Locked Pre-installation) and SLIC (Software Licensing Internal Code) are the mechanisms used by OEM computer manufacturers to factory activate pre-installed Windows operating system on computers so that activation process of Windows is done automatically once a user boots his new computer for the first time. From a leaked Windows 7 .ISO the boot.wim file was extracted to retreive the OEM SLP key, plus the OEM activation certificate. Using a loader, a SLIC that results in a valid validation can be emulated before Windows boots.

At this time different Windows 7 activators are already spreading the Internet for Windows 7 Ultimate, the only Windows 7 version that was leaked until current.

Windows 7 was released to manufacturing on 22nd of July 2009. The official Windows 7 release date for the retail market is the 22nd of October 2009.

Table of contents:

* Malicious PDF: Get owned without opening
* Review: IronKey Personal
* Windows 7 security features: Building on Vista
* Using Wireshark to capture and analyze wireless traffic
* “Unclonable” RFID – a technical overview
* Secure development principles
* Q&A: Ron Gula on Nessus and Tenable Network Security
* Establish your social media presence with security in mind
* A historical perspective on the cybersecurity dilemma
* A risk-based, cost effective approach to holistic security
* AND MORE!

When reading the comments of users on the article, I was astonished by the amount of Dutch people that were frauded by selling items and accepting PayPal payments. The typical PayPal fraud scenario would like like this:

• A buyer (the counterfeiter) buys goods using PayPal
• The seller receives the money for the goods and sends the object the buyer bought
• The buyer lodges a claim to PayPal for a non-authorised payment that took place with his PayPal account
• PayPal transfers the money back from the buyer to the seller’s account without requiring consent of the buyer
• The buyer received the goods and didn’t pay for it
• The seller’s PayPal account is frozen; he lodges a claim against the buyer
• PayPal rejects the claim if the seller cannot provide all the receipts of sending the goods
• The buyer is frauded and cannot lodge another claim since PayPal only allows 1 claim per transaction.

I know when buying/selling goods online, making payments via website such as MoneyGram and Western Union is a no go, but these PayPal stories were new to me.

Read out the story on this page of the poor man who’s business went bankrupt by PayPay fraudsters.

3 statements listed on paypalwarning.com to remind users of the control you give to PayPal when using the service:

• Can PayPal hold my money with no explanation? The answer is YES.

• Can PayPal freeze my account for no reason? The answer is YES.

• Can PayPal take money out of my account without my knowledge? The answer is YES.

Personally I do have a Paypal account as well. I used it only once in the past, but as of now, i’ll think twice before I will commit into another PayPal transaction.

Check out other horror stories at:

http://www.aboutpaypal.org/
http://www.paypalwarning.com/

http://www.paypalsucks.com/

http://www.screw-paypal.com/

Here’s all the scam emails I received when responding to cars advertised on the gumtree.com.au website:

Re: Reply to your “2006 TOYOTA COROLLA HATCHBACK” Ad on Gumtree

from Emilio Narsete <emilio.narsete13@rocketmail.com>

A whopping 40% of the used hard drives on eBay contain easily recoverable personal data. Use the following guide to ensure your personal data never makes it out into the wild.

Pretty scary words ain’t it… but it’s not far from the truth! Read the article to tutor yourself about the matter as you probably don’t want anyone to invade your privacy.

The first step in securing your data is bolstering your understanding of how data is stored and what happens when you delete it. Many people operate under the impression that when they delete a file it’s gone, as though they had torn a page from a book. But the way most operating systems handle such events is by simply removing the little marker that points to the file. That’s more like having information written on a chalk board in columns, each column labeled with a header, and then simply erasing that header to signify that column is “deleted” and available for future writing over. Anyone who looks at the board can read everything written in the column, until someone starts writing over it.

At the recent BlackHat Washington conference, a nice presentation was given about new man-in-the-middle techniques for SSL

The presentation starts with a good intro-primer on how SSL certificate validation works, continues with explaining how the old MITMs worked (including the trick with the intermediate CA which is used by most SSL inspection devices) and goes on with how it can be defeated now with stripping https or providing real valid https connections with ‘just’ a valid wild card certificate and some homo-graphic tricks.

The impact of this is not alarming in my opinion as there were already mitm tricks which worked. Attackers tend to stick to simple things that work before moving on. This is just an addition to the arsenal of tricks to fool a user into thinking his connection is secured. However, this might even trick the more experienced computer users and not only your mom who does a little online banking.

The presentation is worth a read because it gives a nice background on SSL validation, makes you think about website security architecture and makes you a little more paranoid when surfing the web in a public place.

This just shows once more that the cornerstone of SSL is trust. If you can come up with a way to get your malicious stuff to look trustworthy, it’s game over.

Bloggers are usually well aware of the dangers of being accused of libel, and that’s why most independent online journalists are very careful to make sure that everything they write about someone on their blog is backed with documentation and evidence. But when someone writes something libelous about you, you need to be well prepared to fight back hard.

So what can you do? Read the article @ makeuseof.com!

Sidenote
In November a Dutch waitress got “shut down” by a Belgian politician after comments about his visit to NY. I guess that’s the downside to the “libel” part, who’s the judge in right/wrong?

Yesterday, I bought a new wireless router for home. I was in the computer store to buy some DVDs and picked it up in more of an impulse. My old router was not performing well so I bought the first draft-n gigabit router I happened to stumble upon after quickly having verified that it was supported by dd-wrt.

Back home, I noticed that I was a little too quick in verifying the dd-wrt support. It will be supported by dd-wrt but currently it is still a work in progress. So I decided to use the stock Belkin firmware for now. However, one minute later, I stumbled upon a major problem in that plan. The little router does not support DHCP reservations which I need in my home network. I could offload DHCP to another small device in my network but I preferred to have the router handle it.

This leaves three options for getting DHCP reservations in the box:

1. cross-compile my own firmware (GPL sources and MIPS toolchain are available for download)
2. modify an existing Belkin firmware image by injecting extras in the image
3. hack into the router and modify configuration parameters to support DHCP reservations.

I decided to see what’s behind door number 3 and after a an hour or two I found two ways of adding your static DHCP leases to the device.

The first way is by modifying he configuration file of the device. You can backup the running configuration from the GUI and save it to your local PC. That backup file (user.conf) contains all nvram parameters to get the router configured. I noticed that it had quite the same parameters as my old linksys router. Especially the parameter static_dhcp_clients was of interest to me. After looking at the linksys example, I filled it up with my dhcp leases :

static_dhcp_clients=hostname1:192.168.20.2:001AAABBCCDD:1:hostname2:192.168.20.3:009988776655:1

After feeding it back to the GUI (restore configuration), the GUI told me the CRC was incorrect. Some trial & error learned me that the check was a CRC-32 (8 bit) check done over all the parameters. This checksum was put at the end of the file in hex. With this knowledge, I opened up my hex editor, changed the checksum, uploaded the modified configuration and after a reboot of the router, I had static leases working!

The second way I found is even easier. There is a hidden web page in the administration website : http://routerIP/wukongjiuwo.html. This is a diagnostics page which gives you web-form based console access to the device. In the console, the following command followed by a reboot should bring static dhcp leases in the box:

nvram set static_dhcp_clients=hostname1:192.168.20.2:001AAABBCCDD:1:hostname2:192.168.20.3:009988776655:1

If you decide to use some of this ‘wisdom’ on your own router, please do so at your own risk!

I read your piece discussing Mozy and thought you might be interested in
another vendor, SpiderOak. They provide a free, secure, automated approach for
storing, backing up, accessing, and sharing personal files. SpiderOak is the
only backup software to work across ANY platform (Mac, Linux, and PC) – it
also has unparalleled anonymity, there is literally no visibility into anything
being stored – not even SpiderOak employees have access to the data.

I must admit that I haven’t tried out SpiderOak, but it seems to offer the same kind of service as Mozy. So it’s only fair that I’d give it the same spotlight…

First of all: No I am not dead and yes I will continue to blog here. I just took a bit of a ‘blogging sabbatical’ the last couple of months.

That said, I (and many others so it seems) downloaded Chrome, Google’s vision of a web browser this week and played around with it for a while. A new browser always means new (or old) vulnerabilities and Chrome does not seem to be an exception to this. Google has a pretty good track record in following up on vulnerabilities so they will hopefully fix them soon.

On the positive side, it seems that Google really thought about security in Chrome by isolating processes for different tabs and enforcing a security model. They explain most of it in a cartoon you can find here.

Although I like the layout, the speed and the software design of Chrome, I will not be moving away from Firefox just yet. Even if all known vulnerabilities were to be fixed, there is one feature in Firefox which I think every browser should have and Chrome hasn’t: a decent password manager.

As a security conscious person, I use different passwords for each website I use on the internet. Unfortunately, I can’t remember all of them, so I store some of them in Firefox. I know I could use a tool like KeePass (and I do) but for most sites I find this overkill. Now what I like about Firefox is that you can specify a master password. Without this master password, you cannot unlock the password file (signons3.txt, passwords, and key3.db, the key, in your profile folder). This even survives a copy of the files. When you copy both files to another computer, you still have to specify the master password before getting access to the stored (encrypted) passwords.

Now back to Chrome. The profile data (in Vista) seems to be stored in C:\Users\username\AppData\Local\Google\Chrome\User Data\Default. There is an SQLite file called ‘Web Data’ in that folder and this seems to contain the URLs and (obfuscated) saved passwords. Since there is no master password functionality as there is in firefox, this file can be copied to another computer. Doing this gives the other computer access to all websites were there is a password stored for in the file (yups, I verified this).
This might not seem like a big deal but think about it. Every process running on your computer with the same rights as the user (or more) has access to these password storage files. This includes malware as well…

So I’ll stick to Firefox for now

The features of Mozy;

• Block-level incremental backup: After the initial backup, MozyHome only backs up files that have been added or changed, making subsequent backups lightning fast.
• Open/locked file support: Mozy will back up your documents whether they’re open or closed.
• 128-bit SSL encryption: The same technology used by banks secures your data during the backup process.
• 448-bit Blowfish encryption: Secures your files while in storage, providing peace of mind that your private data is safe from hackers.
• Automatic: Schedule the times to back up and MozyHome does the rest.
• New and changed file detection: MozyHome finds and saves the smallest changes.
• Backs up Outlook files: Disaster-proof email protection.

An the last thing… You get 2GB of free online storage space! This might help you to keep important data safe?!?

An article in Datanews (dutch only) today reports on the police arresting four ex-CCC members on two facts:

1. They were linked to a terrorist organization in Italy
2. They had ‘encoding’ software on their PC’s to securely wipe hard drives. (most likely the reporter meant wiping instead of encoding.)

On the first fact, I can certainly agree but with regards to the second fact, I did not know it was illegal in Belgium to have this kind of software installed on your PC.

I for one have Truecrypt as encryption software and Eraser as DoD compliant erasing software installed on my laptop. Am I a terrorist now?