Dominic White's .tHE pRODUCT

Last week, Roberto Preatoni, founder of WabiSabiLabi, the exploit eBay, gave a talk at the ITWeb Security Conference about his creation. I really wanted to ask a question, but there was no time. At the end of his talk, when asked who agrees that WabiSabiLabi is a good idea (i.e. creating a market place for vulnerabilities and exploits ot be freely sold and traded, like eBay) like Roberto, I was surprised to see so many hands go up as the general info sec community has reacted quite harshly to the idea. A possible explanation based on my experience is that many ITWeb attendees are not 'hardcore' security people, and haven't been following the disclosure argument over the last decade. Then, given only Roberto's talk, chose to agree with him due to a lack of any exposure to rebuttal. When asked who disagrees, I was the only one who put their hand up.

So, here's why.

Debian released a patch to OpenSSL based on a Debian-specific bug resulting in random numbers being used for the secret parts of key generation not being so random (due to the random number generater not being seeded). Quoting from the mailing list announcement:

Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections [generated after 2006-09-17]. Keys generated with GnuPG or GNUTLS are not affected, though.

Ubuntu has also released a security announcement stating they too are affected (which likely means other Debian based distros are too, like the Xandros on your Asus EEE PC). In their words:

We consider this an extremely serious vulnerability, and urge all users to act immediately to secure their systems.

In our instance we needed to regenerate several SSH host keys. For ease of use, here are instructions for doing so. Please not these instructions are superceeded by the instructions which will be posted here (but aren't yet).

So, the SQL injections of last month are still going and on the increase. At last check (11am SAST) Google's index had 1 070 000 infected pages. Not all of these are from the same source, or load the same malware. However, they have the same basic principle:

generic SQL injection -> Javascript -> infect visitors

Several of the sites in South Africa I've been watching have been re-infected. I spoke to several of the admins, but it seems they are just restoring from backup and not fixing the root cause. The domains currently being injected and containing the malicious Javascript are:

• nihaorr1.com
• 2117966.net
• aspder.com
• haoliuliang.net
• nmidahena.com
• free.hostpinoy.info
• xprmn4u.info
• winzipices.cn
• wowgm1.cn
• killwow1.cn
• wowyeye.cn

Although, new ones are coming to my attention fairly quickly at the moment. For example, wowgm1.cn was re-injected over winzipices.cn on a few pages. The 'wow' range seem to be related, as they are re-infecting pages with a new URL. On the point of re-injections, it seems some are overwriting each other in funny ways, for example, the following was found on one page (*'s added):

<script src=http://www.2<script src=h**p://www.2117966.net/f*ckjp.js></script>

It bother's me that the security industry (particularly in SA) doesn't seem to have cottoned on to this as a widespread pervasive attack. Shadowserver (one, two) seems to be the only ones getting close to the problem, but even SANS is treating these as seperate events. There is only basic protection at the moment, if you click through from some of these sites (10%?) in Google, you will get a Malware warning. Continuing to the site anyway prevents me due to Firefox's security setting (which shares the same list from Google, i.e. stopbadware.org).

Given how successfull the exploitation of such an 'old' vulnerability, it is likely we are only going to see more (and better executed) versions of this in the next few months (years?). Hitting over a million pages with a pretty lame attack, that only targets Microsoft SQL is fairly impressive. If they just modified their SQL to work on MySQL or Postgres I'm sure we would seem more than a million more hit. It is interesting to note that it has taken this long from someone to try and 'monetise' SQL injections, as it has been around for a while (8 years?). My guess is that it will take less time for bad guys to do the same with XSS & CSRF, but that Microsoft's default request validation will save some of us, but not because dev's have cottoned on.

Based on Google's index, the following sites are/were infected based on the SQL injection attack discussed all over the place (1, 2, 3, 4, 5). From an SA perspective, News24, Sunday Times (available in dead tree only) and Talk Radio 702 have covered this.

Click here for Google's latest list.

Click here for Yahoo's latest list (much less accurate).

Status: Medium

• Most of the sites hosting the JavaScript are down, and most of the sites listed as infected seem to be clean (for SA). As this appears to be the 3rd or 4th injection, if web admins haven't fixed the root vulnerability and the attack is re-run pointing at a different domain, it could happen again.
• The command and control server the Trojan sends stolen passwords to is still up.

Warnings:

1. Do not click on any of the links from Google or Yahoo as you are likely to be taken to a website which will infect your computer with a trojan.
2. Search engines (aka Google and Yahoo) work on an index, which works on a snapshot of information. This snapshot takes a while to update, so some sites may be infected and not listed yet, and others may no longer be infected and still listed.

OSVDB's SoC code monkey, Dave, has been ferreting away and is already producing some good stuff (one, two, three). I am going to have a go at getting back into mangling some vulns later tonight. Given that the last time I mangled vulns was almost four years ago, I have a feeling I will be very pleased/surprised by the many changes.

For those of you living in the dark ages, OSVDB will be *the* canonical vulnerability reference one day, in the meantime it's just more accurate than the rest ;), all it needs is more manglers.

The iCommons' iSummit '08 site was launched tonight, and I must say it is looking amazing. I am rather biased in this analysis, however, I feel my bias is worthy for Loftwork's killer logo shown on the left. There's something about luminous green which gets me going. I won't be able to attend the conference, but the Second Life programme looks beefed up this year for those of us who want a from-the-couch experience.

I think iCommons is an undervalued organisation, if I were a broker and they were listed I would give it a strong 'buy' recommendation. In digital currency this translates to find out who they are, what they do and then tell others. They have a mandate that extends beyond that of Creative Commons to bridge the gaps between the various 'open access' movements including Wikipedia, Open Source, Free Culture, Open Education, Open access journals etc. I am fortunate enough to know some of the team based on Johannesburg, and can attest that this is a group of highly motivated, passionate people, who are too modest to boast about their own brilliance.

This will be the fourth iSummit, a large conference organised all over the world by 2-5 people! The 10 000ft overview of the summit is best described by the commoners themselves:

There will be two keynote sessions each day, featuring confirmed speakers David Wiley of OpenContent fame, FLOSS advocate and researcher, Rishab Ghosh and Wikipedia's Jimmy Wales. Also look forward to community-specific 'labs' and an Academy track for Commons novices, with extra time to connect and chat. Free space has been planned into the programme to accommodate spontaneous connections as they arise - if a group of like-minded Commoners have an idea that they would like to discuss right there and then, we can help to make that happen.

I just read Colin's entry about how The Times have 'partnered' with Google and included a Google search on their website. I though it was quite strange that he used and advertised this with the term 'partnered' over something both easy to do, and many sites have been doing for several years now. My suspicion is that every now and again these "Web 2.0 Journalists" get far too carried away with buzzwords. Although I do think Colin is a sooper guy.

So, I had a quick look at how this magic 'partner' search works. It's quite simple really, you make a call to google.co.za/custom and pass it all the colours you want in the 'cof' var, along with some other miscellaneous junk (the client and channel vars may be some sort of poor authenticator), including the good old 'sitesearch' var.

In December I received an EMV card from my bank in South Africa. I won't mention who they are as this isn't specific to them. In general it has annoyed me, as now I have to type in a PIN, which often necessitates me moving my lazy ass from the table to the waiters pay area and standing around while the steam punk mechanics work themselves out. And, I am *more* liable for fraud on my account.

I'm really enjoying the hype around the firewire hacks, originally presented by Maximillian Dornseif in 2004, breathed new life in 2006 by Adam Boileau and now re-hyping in 2008 thanks to Adam releasing the last bit of scripts to unlock a Windows machine (illegally!, gosh). I think Adam sums this up quite nicely:

Yes, it's a FEATURE, not a bug. It's the Fire in Firewire. Yes, I know this, Microsoft know this. The OHCI-1394 spec knows this. People with firewire ports generally don[']t.

Microsoft have released a bunch of protocol specifications for their proprietry protocols or implementations. Some of the whoppers I've added to my reading list are (in alphabetical order):

• "FrontPage Server Extensions: Website Management Specification" http://msdn2.microsoft.com/en-us/library/cc217914.aspx
• "Firewall and Advanced Security Protocol Specification" http://msdn2.microsoft.com/en-us/library/cc231461.aspx
• "Local Security Authority (Domain Policy) Remote Protocol Specification" http://msdn2.microsoft.com/en-us/library/cc234225.aspx
• "NT LAN Manager (NTLM) Authentication Protocol Specification" http://msdn2.microsoft.com/en-us/library/cc236621.aspx
• "NTLM Over HTTP Protocol Specification" http://msdn2.microsoft.com/en-us/library/cc237488.aspx
• "Remote Desktop Protocol: Basic Connectivity and Graphics Remoting Specification" http://msdn2.microsoft.com/en-us/library/cc240445.aspx
• "Remote Procedure Call Over HTTP Protocol Specification" http://msdn2.microsoft.com/en-us/library/cc243950.aspx
• "Windows Security Health Agent (WSHA) and Windows Security Health Validator (WSHV) Protocol Specification" http://msdn2.microsoft.com/en-us/library/cc251347.aspx
• "Windows Update Services: Client-Server Protocol Specification" http://msdn2.microsoft.com/en-us/library/cc251937.aspx

The items marked in red are for immediate reading. I am particularly excited about the WSUS proposal after my attempts at dissecting it in my masters thesis. This will be good for microsoft in the long run. Yay to the EU.

Heard of the year 2038 unix clock overflow bug? The 30th preversary is at 3am this Saturday. If any of your banks are using 32-bit Unix systems to do 30 year home loan calculation you may soon hear about this.

singe@platform:~$ uname -a
Linux platform 2.6.15-27-server #1 SMP Fri Dec 8 18:43:54 UTC 2006 i686 GNU/Linux
singe@platform:~$ sudo date -u 011903142038.06
Tue Jan 19 03:14:00 UTC 2038
singe@platform:~$ date
Tue Jan 19 05:14:07 SAST 2038
singe@platform:~$ date
Fri Dec 13 22:15:52 SAST 1901

Deloitte has released its security survey's for 2007. Deloitte usually releases several security survey's broken up by industries (see 2006's survey's). So far the following have been released:

• Financial Services (Press Release, PDF-english, PDF-chinese)
• Media & Telecomms (Press Release, PDF)
• Life Sciences (upcoming)
• Consumer Business/Retail (upcoming)

I'm completely biased in publishing any Deloitte information, but I think these are well worth a read.

After Jeremy Clarkson (of Top Gear fame) published his bank details, to prove that identity theft based on the now famous lost British CDs was overblown, he became a victim of identity theft and had 500 pounds fraudulently stolen from his account and deposited to the British Diabetic Association.

While I don't condone the action, it is a bit of a modern day Robin Hood story. Who wants the screen play to "Hackers in Tights"?

I took delivery of the first car I've ever bought today. It is a 'Spirited Green' Mazda 2 1.5 Dynamic, which I have named 'Kuluhlaza' or 'Green' in Zulu. I've never really cared for cars, but both the research and excitement of actually getting it are slowly (very slowly) turning me into a car buff.

I was pleasantly surprised, upon opening my blog reader, that Mikko Hypponen was in Cape Town for the Information Security Forum's 18th annual world congress. He had good things to say about South Africa, a Deloitte talk about Emue (ask me more if you're interested). Kiefness.