I was recently discussing Dwolla with a colleague.   While I think it is a great idea, I’m not sure it will replace credit cards anytime soon.

Here’s my thoughts:

1) Dwolla offers great benefits towards a merchant than an end-user who uses its services – There’s little incentive for a consumer to use this service to pay for common everyday purchases versus using a credit card.   The majority of the time, the merchant eats the costs of doing business charged by the credit card company.  This is rarely passed on to the consumer.  There are some exceptions to this but this is rare in my experience.   The merchant however will be saving big on this yearly.  2-5%  plus a transaction fee per item purchased adds up and would be significant savings to a merchant.

2) A consumer is safer using a credit card – The consumer has much less risk using a credit card than a service like Dwolla.   The maximum liability for most end-users is $50 or less with most credit card companies.   The money never goes directly from their bank account.  I, for one, am extremely hesitant to give any service my bank account information to anyone on the web. I understand the argument that people are smarter paying with cash.  However, I think someone can be just as smart paying with a credit card and paying off the bills before the end of the month.

If you compromise my credit card, I’m at fault for a maximum of $50 and the credit card company will do everything in their power to track down who committed the fraud, especially if a large amount was charged.  If the fraud occurs with a personal bank account, I don’t think a bank will be as eager to help and return your money, especially if it is a higher amount.  They may return what you lost if it is a smaller amount (under $1000 or relative to what you had in your bank account).  What could happen if my Dwolla account was compromised, it’s directly linked to my bank account.  It’s sort of the same risk as using PayPal.

Instances where I believe Dwolla will be effectively used and may take off:

1) Transfers between two or more 100% trusted parties – paying rent, paying utility bills, lending money to friends/family, etc.  This is better than PayPal, bank transfers or credit card charges, especially if you trust who you are sending money to and trust to get the money back.

I’m interested in hearing from people who are have used Dwolla and seeing what their thoughts and experiences are.

I just found out about this program recently.  I’m not endorsing SANS/GIAC so to each his/her own.

I decided to give it a shot.  I applied and got accepted to the SANSFIRE 2012 conference helping out with the SEC660 – Advanced Penetration Testing, Exploits, and Ethical Hacking course.  I’ll post back after it is over and say how my experience was.

Basically for the $850, you get access to the class and materials, access to the on-demand training for the class for 4 months, access to after-hour events/training, and free exam (GXPN in my case) if you are local to the conference or stay at the conference hotel.   In exchange, you’re giving up a week to attend the conference (which you would have done anyway if you were taking a class) and you’re an extension of the SANS staff so you’re helping out where needed.

SANS Work Study Program

I just read this article on the Social-Engineer.org newsletter and couldn’t help but smile

Two different perspectives:

The Sydney Morning Herald – Thieves Steal 10-tonne bridge

The Vancouver Sun – Czech thieves steal 10-tonne metal bridge

Basically, they tricked the the local depot workers and supposedly the police with their story and fake documents.  Only after the entire bridge and tracks were stolen did anyone from the rail station try to verify the authenticity of the paperwork.

I’m guessing it could also be an inside job?

Here’s Chris Hadnagy’s story from the Social-Engineer.org newsletter:

Czech Social Engineers Steal a Bridge

In the town of  Slavkov, Czechoslovakia, a gang of social engineers arrived at the train station one morning posing as construction workers. The gang approached the depot personnel with work orders to demolish the steel footbridge that went over the tracks as well as a portion of railway track supposedly to make room for a cycle path. Apparently, the documents and the story were official enough that depot personnel approved the work order and the gang began work dismantling the bridge.

One Russian newspaper stated that a group of police stopped the thieves and when the men presented their forged paperwork, the police left them alone.  The paperwork looked legit and seemed to be in order.

Only after the bridge and tracks had been fully dismantled and hauled away did anyone from the rail station bother to verify the authenticity of the documentation along with the story told. Imagine their surprise when they learned there was no such work order to demolish the bridge and that thieves just stole a bridge right under their noses! It is estimated to cost millions of dollars in steel to rebuild the bridge.

Forged documentation is one of the social engineer’s favorite tools and depending on the quality of the forgery, can yield devastating results. With a simple badge printing tool, found easily on the Internet, combined with the plethora of employee badges that can be found scattered about Facebook, Flickr, and Twitter, forged documents can go a long way. At last year’s Social Engineering Capture the Flag event, at least two contestants discovered badges that clearly identified every piece of information an attacker would need to duplicate the badge.

Below are some of the IT/Security related and General pod-casts I try to keep up regularly.  I don’t have time to listen to them all but I use BeyondPod on my Android to automatically download them so I have them around when I do get time to listen.   It syncs up with Google Reader as well so I throw all my pod-casts into a folder there and let BeyondPod automatically retrieve them.

If anyone has any recommendations for other good ones, let me know.

Bobby

InfoSec Daily Podcast – Great team that does a daily catch-up and review of the news in the Information Security world.  They’re dedicated and I don’t think they’ve ever missed a day since they’ve started.  They usually keep the episodes at about 35-40 minutes.  Good enough for listening while working out

SecurityNow! – Leo and Steve are a good pair and this is a great podcast especially if you are just getting into security.  They do a 1-1 1/2 hour long podcast every week.

Social-Engineer.org Podcast – This is a great podcast if you are interested in social engineering.  Most of the major attacks you’ve heard about lately were due to social engineers (RSA, Google, major defense contractors, etc).   They usually have experts in various fields who do a talk on their professional insights into social engineering.

Packet Pushers Podcast – This seems to be an interesting look at networking and security.  I’ve just started listening to it and it’s been good so far.

CERT’s Podcast Series: Security for Business Leaders – This one can be dry most times to be honest but it’s an interesting look especially if you are working on the federal side as they tailor many of the talks towards different NIST and Federal related policies, publications, etc.

Fareed Zakaria’s GPS – If you ever seen the show on CNN, this is just the audio version of it on a podcast.  I like Fareed’s way of looking at the world and it’s a good way to catch up on the major news going on in the world

Is anyone seeing ads on the RSS feeds?  I was able to remove the ads from the web pages itself.  However, I’m still seeing ads on the RSS feeds from Google Ad Choices but a few friends who I’ve asked about it aren’t seeing it.

If anyone else is seeing them, can you let me know?   Anyone know how to get rid of the Ad Choices ads from the RSS feeds?  I use Google Reader mostly to view all of the blog RSS feeds and I haven’t had it inject ads before.  I’m seeing ads through all of my devices…mobile phone, tablet and laptop.

Bobby

Quick intro…

I’m Bobby and I worked out an agreement with Matt to take over AttackVector.org.  Matt has the opportunity to come back and post whenever he has time again. I was a regular reader of this site and enjoyed reading Matt’s postings.

A little about me, I’ve been in the U.S. military for 5 years, worked as a government contractor for a few years and now work as a consultant through my own company, Guarded Horizons Inc.   Altogether,  I’ve been in the IT & security world for 12 years now and was considering getting into blogging so this seemed like a good opportunity to give it a shot.   I also wanted to see the site continuing to offer security related information.  A lot of what I do nowadays is security and network architecture design and deployment. I’d like to get more into pen-testing and security research.

I’ve launched two websites over the last 6 months to a year and now spend a good deal of my time managing everything associated with it. The idea behind the VPN services I offer is to provide security/privacy when you are in public or open WiFi hotspots, in hotels, or traveling outside the U.S. Another use when you are overseas is that it will allow you to access U.S. content that is normally blocked (Netflix, Hulu, Pandora, etc).

You can check them out at http://www.tunnelguard.com and http://www.apovpn.com

APOVPN is geared more towards the American & military community living abroad. TunnelGuard is for everyone else. Basically I was getting a lot of questions about what the heck APO means. If you’re not associated with the military or government, it really doesn’t make sense and just sounds like a funny word

As far as the site content and moving forward, I moved over all of the site content I could. I don’t think the user accounts moved over properly so users may have to register again. If you have any issues, shoot me a message to bobby@attackvector.org.

I’m going to keep the website looking the same…minus the advertisements. I’m not a big fan of the Google Ads, I’ll keep one small banner up for my site TunnelGuard and that’s about it.

I’ll try to post regularly and share my thoughts and ideas with the info security world. I have some friends with similar mindsets as well so I’ll see if any of them would be interested in blogging as well.

If there are security minded people following this blog who would be interested in blogging periodically, send me an email!

Bobby

Do I still have any regular readers left? I hope so, even though I’ve greatly neglected you. I wont even bother with excuses. BUT, here’s a post to prove that I still know what I’m doing!

So, if you’ve been following some of the other blogs (specifically, Krebs), you’ve probably seen the hubbub about ZeusTracker. If not, I highly recommend you click on that previous link and go read. It’s long, but quite interesting.

ZeuS, if you’re unaware, is a big botnet that’s used heavily in cyber crime. You don’t want to get infected by this. To those who manage networks: You don’t want your users to get infected by this.

ZeusTracker is watching for Zeus C&C traffic via honeypots and documenting the known hosts/domains/IP’s associated with them. They’ve created a nice list that can be easily imported in to iptables, Windows host files, Squid, et. al.

I run Squid on one of the gateways here, so I decided to utilize that to implement this blacklist. Squid makes this incredibly simple, which is also a big plus.

In your Squid config file, you’ll see a section that’s all about ACL’s (access control lists). If you scroll down far enough, you’ll see a section that says:

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

So, the simplest way to implement a blacklist is by adding the following just below that comment. Mine looks like this:

# ZeuS C&C domains
acl blocksites url_regex "/etc/squid/zeus.txt"
http_access deny blocksites

Pretty simple, eh?

‘Course, now you have to create the “zeus.txt” file, otherwise that rule isn’t going to do you any good. If you go to here, you’ll see a list of files that all contain the hosts & ip’s that ZeusTracker knows about. In this case, you want the one formatted for Squid.

Now, you’ll need for this to update, say, daily, so you’ll need to create a script and invoke it via Crontab. Here’s my stupid-simple script:

#!/bin/sh

/bin/rm /etc/squid/zeus.txt
/usr/bin/curl "https://zeustracker.abuse.ch/blocklist.php?download=squidblocklist" >> /etc/squid/zeus.txt
/etc/init.d/squid restart

It simply deletes the current zeus.txt file, downloads the newest version via Curl, and then restarts Squid.

This is a really quick & easy way to (help) protect your network from this trojan/worm/whatever you want to call it. I’ve noticed recently that even a user who is running a fully patched version of Windows (Vista), with Google Chrome, this thing is still capable of infecting the machine. I haven’t found any real good information on how, but from what I’ve witnessed, it appears to be a Java exploit.

Anyway, give this a shot!

OK, so I’ve received a couple of emails from different people wondering if I was abducted by the NSA, assassinated, or if I’m on the run with Julian Assange.

No, no, and.. no. Though, that’d be pretty sweet. Minus being assassinated. That would suck.

Honestly, right now, I’m being pulled in like, 73 different directions. which doesn’t leave me with much time for anything else, including a social or blogging life.

But! I expect that I will be able to begin blogging again within the next few weeks and hopefully will return to my regular production level.

I don’t want you guys to fall behind, though.. so let me summarize the past few weeks in the security world:

Microsoft 0day
Microsoft 0day
Stuxnet
Adobe 0day
Java 0day
Microsoft 0day
Adobe 0day
Adobe 0day
…Adobe 0day
Facebook privacy
Julian Assange

There, consider yourself up to date.

This was discussed at DefCon 18 in a talk by Sammy Kamkar, but as far as I know, Sammy didn’t release his code, so I had to come up with something on my own.

First, one big difference. His version of this uses the Google Location Services API. I’ve opted to use the Skyhook service instead because there’s far more documentation and sample code that exists using this API, whereas I was unable to find anything too terribly helpful when it came to using the GLS API for this particular purpose. If anyone has any insight on this, please, please, let me know. I’d like to incorporate that into this script for comparison data.

Ok, so, how does this work, exactly? Both companies (Google & Skyhook) have employed a large number of people to drive around with laptops, GPS’s, and cameras attached to the roofs of their car in order to create a database. Everyone is aware of street view by Google, but were you aware of the fact that they also record wireless information? Well, I guess probably most people are aware of that now, considering the issues they had in Germany, but what you probably weren’t aware of is what this data is used for. Google and Skyhook both provide this database for software based location systems.

So, whats in the database? Skyhook is pretty open about the fact that they’re collecting wifi data in order to provide better location services. They call it “XPS”, which combines information from wifi, GPS, and cell phone towers to pin point an exact location.

Anyway, what does that mean for us? It means that we can query this database with a BSSID from a wireless network and get the nearest address and coordinates returned. Thanks SkyHook!

Here’s an example. Not too long ago I was in the cities and did some driving with a buddy of mine. I’ll demonstrate this using a BSSID that was in the log created on that drive:

$ ./getloc.pl 00:24:B2:1E:24:FE
490 Robert St N
Ramsey county
St. Paul, Minnesota 55101
Latitude: 44.95063
Longitude: -93.0940583

http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=44.95063+-93.0940583&sll=37.0625,-95.677068&sspn=57.815136,114.169922&ie=UTF8&t=h&z=17

So, using just the BSSID I’m able to get a house number (in this case, a building number), street address, and the coordinates.

Here’s my code.. feel free to modify it/add to it/whatever.. but if you add anything cool, please let me know.

#!/usr/bin/perl
# www.attackvector.org
#
use LWP::UserAgent;
use XML::LibXML;

$url = "https://api.skyhookwireless.com/wps2/location";
$ua = LWP::UserAgent->new;
$handler = XML::LibXML->new();

$bssid= $ARGV[0];
$bssid =~ s/://g;

if($bssid eq "") {
 print "Usage: $0 n";
 print "Example: $0 AA:BB:CC:DD:EE:FFn";
 exit(0);
}

sub response {
    my ($response) = @_;
    $xml = $response->content;
    $xml =~ s/n//g;
    $page = $handler->parse_string($xml);
    if((@{$page->getElementsByTagName('longitude')}[0]) ne "") {
        $lat = $page->getElementsByTagName('latitude');
        $long = $page->getElementsByTagName('longitude');
        $streetnum = $page->getElementsByTagName('street-number');
        $streetname = $page->getElementsByTagName('address-line');
        $city = $page->getElementsByTagName('city');
        $zip = $page->getElementsByTagName('postal-code');
        $co = $page->getElementsByTagName('county');
        $state = $page->getElementsByTagName('state');
        print "$streetnum $streetnamen";
        print "$co countyn";
        print "$city, $state $zipn";
        print "Latitude: $latn";
        print "Longitude: $longn";
        print "http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=" . $lat . "+" . $long . "&sll=37.0625,95.677068&sspn=57.815136,114.169922&ie=UTF8&t=h&z=17n";
    } else {
        print "No results for $bssidn";
    }
}

$request = "

  
    
      beta
      js.loki.com
    
  
  
    $bssid
    -50
  
";
$response = $ua->post( $url, 'Content-Type' => 'text/xml', Content => $request );
response($response);

If you come up with or know of any creative ways to remotely obtain a BSSID, please comment below. Sammy mentions using XSS, but this only works against the Verizon FiOS router. I’m thinking a Java applet or script and UPnP. I’ll let you know if I come up with anything interesting.

So, I’ve come across a lot more information regarding the no-longer-0day Adobe vulnerability (oh, wait, that’s right.. there have been like, 12 in the last 30 days.. I’m referring just to the SING table one).

Anyway, a penetration testing company named Ramz Afzar has released an unofficial patch to fix the Adobe vulnerability, because apparently Adobe has had a difficult time figuring one out on their own.

After reading their analysis of the vulnerable code, this jumped out at me the most:

After initial analysis we’ve discovered that exploit exists in insecure strcat call located in CoolType.dll:
(all addresses and names are from Latest Acrobat 9.3.4′s CoolType.dll)

0803DDAB E8 483D1300 CALL JMP.&MSVCR80.strcat

So, what does ‘strcat’ do, exactly? It basically appends a copy of the source string to the destination string. Example:

main () {
  char adobe_rulez[20];
  strcpy (adobe_rulez,"our ");
  strcat (adobe_rulez,"software ");
  strcat (adobe_rulez,"pwnz! ");
}

Pretty self explanatory. HOWEVER. What DOESN’T ‘strcat’ (or any of the other strc* functions, for that matter) do? Bounds checking! This is a classic overflow due to idiotic programming practices. Really, Adobe? The 15 years of hounding from security researchers haven’t been enough for you to ingrain it into your programmers that the use of strc* will get them fired, or lynched, or burned at the stake? Beyond that, your entire testing/debugging department missed this as well?

Heres’ what they SHOULD be doing:

#define MAXLEN(s) ( sizeof(s)/sizeof(s[0]) - 1 )

char buf[20];

void write( char data[], int n ) {
   strncat( buf, data, __min( n, MAXLEN(buf)-strlen(buf)) );
}

main() {
   strcat(buf, "now it looks like ");
   write("we know what we're doing");
}

Note: The above code is just an example – I don’t even know if it will compile or not. The idea is simple, though. You define the size of a buffer and you want to ensure that the data going in to that buffer doesn’t exceed the size of the buffer. What a concept. Bounds checking is nothing new, so there are plenty of resources out there to educate those who are unfamiliar with it. But, if you’re getting paid big bucks as a programmer for a company, you should know what the hell you’re doing. Sorry, that’s just my personal opinion. *cough*.

Anyway, So, first they’re writing code using functions that have been known to be vulnerable to exploitation for about 15 years and second, they’re now being shown up by little companies who are writing patches to fix the holes that they’re not. And apparently Adobe thinks it’s okay for this vulnerability to be left unpatched until the 4th of October?? Are you kidding me??

I caught some grief when I wrote the Open Letter to Microsoft post about how it’s difficult to write code in a team setting and that it’s difficult for large companies to meet deadlines and whatnot, but honestly, how do you argue with this?

And, whats more, is that a company that does not have access to the source code of the DLL was able to fix the issue, yet the company responsible for the software is not/wont/doesn’t care/can’t find a way to patch it on an expedited schedule? Seriously, this October 4th date is really feels like a, “Eh, we don’t mind that all of our customers are vulnerable to exploitation and corporate espionage.. we’ll patch it when we get around to it” kind of date.

Whats more, is that Adobe has apparently released a statement telling people to not install 3rd party patches or from “untrusted” publishers. So, instead, just remain vulnerable until we get off our ass and do something about it.

Tell you what, Adobe, if you can’t figure out how to simply add some bounds checking to a routine and release a patch, I think maybe you are the “untrusted publisher”.

So, here are your options:

1) Uninstall Adobe (highly recommended. Once this vulnerability is patched, there will be 6 more released, I’m sure – here’s a list of all the vulnerabilities and associated exploits against Adobe products. Look at how many came out in the past 60 days (granted, a chunk of them are DLL hijacking, but even ignoring those ones…)) Some options to replace Adobe include:
A) Install the Google Docs plugin and read your PDF’s from within Google Docs (this is what I do)
B) Install one of the many other software packages out there:
* Evince
* Foxit (Foxit is often vulnerable to the same issues as Adobe, though, so be a bit weary of this one)
* Okular
* GSView
* Xpdf
* NitroPDF
* SumatraPDF
* Please note that I haven’t used all of these, so if you have any input on them, please comment below
2) Install this patch
3) Or wait around for Adobe to do something about it, meanwhile leaving you vulnerable to attack. Though, I’m sure there’s nothing important on your computer that you wouldn’t mind being stolen, right?

Sorry about this rant, I’m just getting tired of these companies writing absolutely terrible code, laughing at us as they head off to the bank with our money and then not taking it seriously when they get flooded with vulnerability discoveries. I’m looking forward to the day when some big company gets pwned due to a vulnerability in a piece of software that a publisher has had ample time to patch and then gets sued for damages. That’s when the face of internet security will change, because I guarantee that if you assign a price tag to apathy, we will begin to see same-day patches.

Oh, wait, we do already see that.. with Linux. *plug*.