Eon Security Blog

MITM, almost: Redux

2008-03-13T16:03:00.006+08:00

Apparently one of my OpenWRT boxes still uses OpenDNS. I was checking my Godaddy account then a Mozilla Firefox security error popped up. Note the https at the end of the host.I didn't accept the certificate since I was already logged in. Unfortunately it didn't happen again so I was not able to verify. Was it a one time or erratic glitch? I'm not very sure who is at fault here, Godaddy or

ICC stack-security-check

2008-03-10T12:13:00.014+08:00

Recently I've been playing with the Intel C++/C Compiler. Code produced by the compiler reportedly are optimized better than GCC's. I'd say it's overrated and only gives perceived speed increase for common use. I noticed that by default it produces AT&T assembly instead of Intel. Anyway, I'm more interested in its security feature.$ icc -help...-fstack-security-check enable overflow

DDoS progress

2008-03-07T15:35:00.014+08:00

The Gala Coral Group reported that last year their gambling sites got hit by a 10Gb DDoS attack. The Information Security Officer spoke at the recently concluded e-Crime Congress 2008. I'm not sure of the exaggerations but an interesting part is:Attackers disguised the build up of traffic from up to 30,000 PC and Apple Mac botnet computers during the attack by analysing and reproducing the

Recycle

2008-03-07T00:29:00.006+08:00

Easily recycle thousands of compromised boxes using these easy stepsSearch for commonly used defacer messagesPick a defaced siteFind out how they got inPatch the entrance (optional)RepeatBecause of forgotten web applications lying around web directories not updated those steps can be very effective. Some defacements can go undetected for many years. If someone can create or edit files in web

MITM, almost

2008-03-04T11:05:00.009+08:00

Yesterday I wanted to check my bank balance. Clicked on the my bank's ebanking interface but I was presented to what looks like a self-signed certificate warning. Not a good sign as this means a possible MITM. For comparison the self-signed certificate is here. A legit certificate from the bank is here.I proceed to accept the self-signed certificate to see if it's really a MITM. To my

Holes

2008-03-03T13:20:00.012+08:00

A week ago the OpenBSD 4.2 errata page have been updated with two fixes or vulnerabilities, depending on who you ask. In case you are not aware, OpenBSD doesn't have formal or official security advisories. You have to check the errata page for security vulnerabilities.008: RELIABILITY FIX: February 25, 2008 All architecturesMalformed IPv6 routing headers can cause a kernel panic.007: RELIABILITY

Violent Upgrade Cycle

2008-03-01T14:25:00.008+08:00

A RedHat fan visited the NASA Telescience Lab to check out the RHEL and Fedora Core installations. One of the pictures caught my attention.If it ain't broke, don't upgrade it, right? Actually one of the guys in the lab told me they are in the process of upgrading to Fedora 8 and playing with 9 alpha.This machine is possibly http://countdown.ksc.nasa.gov/. I'm not sure what's their policy for

Big Mac

2008-02-29T22:31:00.005+08:00

PayPal warns against using Apple's Safari:Safari doesn't make PayPal's list of recommended browsers because it doesn't have two important anti-phishing security features, according to Michael Barrett, PayPal's chief information security officer.A perfectly valid reasoning. A couple of Mac users cannot seem to understand the precaution suggested.In other news, Apple customer service

Revisiting OOB

2008-02-28T13:57:00.004+08:00

I was reading the entry for TCP at Wikipedia, one thing that caught my attention is the description of Out of Band data. The verbatim description:You are able to interrupt or abort the queued stream instead of waiting for the stream to finish. This is done by specifying the data as urgent. This will tell the receiving program to process it immediately, along with the rest of the urgent data. When

Point and Click Trojan

2008-02-26T11:53:00.011+08:00

SharK definitely dumbs down Trojan creation, requires no programming skill at all. It allows for the creation of malware with features such as:encryptionpolymorphismcustom payloadsvirtual machine detectioncompressiondebugger detectionpassword miningremote managementsoftware inventoryactive process and network connection informationcapture desktop and webcam imagesrecord audiolog keystrokesanalyze

Posix File Capabilities

2008-02-23T08:20:00.003+08:00

I mentioned before that suid binaries are getting scarce. In Linux, since 2.6.19-rc5-mm2 posix file capabilities are implemented. It was introduced into mainline in 2.6.24-rc2.As an example let's look at the ping program, as you may know ping needs CAP_NET_RAW to generate raw packets and the old practice is to make the ping executable binary suid root. Tinyping is a small assembly version of ping

Post Valentine DDoS

2008-02-21T11:50:00.008+08:00

As seen from various sources such as Arbor, Shadowserver and a couple of gambling sites, DDoS is back in the limelight. Gambling sites were getting hit since around Valentine's day.I've noticed small 12-hour attacks from Feb 13-15 on a couple of gambling sites hosted here in the Philippines. I reckon the attack is not directed to the sites I'm monitoring but is getting affected by attacks on

No credit = exploit

2008-02-20T10:53:00.007+08:00

Because Microsoft refused to credit the researcher who reported MS08-011/CVE-2008-0108 a corresponding exploit was publicly released. A person or group going by the name chujwamwdupe chujwamwdupe posted the exploit to Full-disclosure.Unfortunately, Microsoft has refused to credit you using the name you requested.I think there's a mixup in the iDefense Labs advisory, unless sillypea is

Top 10 Podcast Episodes

2008-02-18T14:42:00.020+08:00

Over the years I have compiled my favorite security podcast episodes. Here is my list of top ten shows. Most of these episodes are interviews. Here they are in no particular order:The Silver Bullet Security Podcast, Show 013 - An Interview with Ross Anderson Gary McGraw interviews Ross Anderson author of the book Security Engineering. He is one of the researchers in the Security Group at the

OpenDNS proxying

2008-02-16T17:48:00.006+08:00

An old issue but new to me. Their supposed to be reason for doing this is ridiculous. $ dig @resolver1.opendns.com www.google.com; <<>> DiG 9.4.1-P1 <<>> @resolver1.opendns.com www.google.com; (1 server found);; global options: printcmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3375;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:;

Coredumps

2008-02-16T11:19:00.013+08:00

I noticed a design error similar to CVE-2007-6206 in DragonFly BSD. It is reported that OpenBSD and FreeBSD exhibit the same.