Dominic White's .tHE pRODUCT

Based on Google's index, the following sites are/were infected based on the SQL injection attack discussed all over the place (1, 2, 3, 4, 5). From an SA perspective, News24, Sunday Times (available in dead tree only) and Talk Radio 702 have covered this.

Click here for Google's latest list.

Click here for Yahoo's latest list (much less accurate).

Status: Medium

• Most of the sites hosting the JavaScript are down, and most of the sites listed as infected seem to be clean (for SA). As this appears to be the 3rd or 4th injection, if web admins haven't fixed the root vulnerability and the attack is re-run pointing at a different domain, it could happen again.
• The command and control server the Trojan sends stolen passwords to is still up.

Warnings:

1. Do not click on any of the links from Google or Yahoo as you are likely to be taken to a website which will infect your computer with a trojan.
2. Search engines (aka Google and Yahoo) work on an index, which works on a snapshot of information. This snapshot takes a while to update, so some sites may be infected and not listed yet, and others may no longer be infected and still listed.

OSVDB's SoC code monkey, Dave, has been ferreting away and is already producing some good stuff (one, two, three). I am going to have a go at getting back into mangling some vulns later tonight. Given that the last time I mangled vulns was almost four years ago, I have a feeling I will be very pleased/surprised by the many changes.

For those of you living in the dark ages, OSVDB will be *the* canonical vulnerability reference one day, in the meantime it's just more accurate than the rest ;), all it needs is more manglers.

The iCommons' iSummit '08 site was launched tonight, and I must say it is looking amazing. I am rather biased in this analysis, however, I feel my bias is worthy for Loftwork's killer logo shown on the left. There's something about luminous green which gets me going. I won't be able to attend the conference, but the Second Life programme looks beefed up this year for those of us who want a from-the-couch experience.

I think iCommons is an undervalued organisation, if I were a broker and they were listed I would give it a strong 'buy' recommendation. In digital currency this translates to find out who they are, what they do and then tell others. They have a mandate that extends beyond that of Creative Commons to bridge the gaps between the various 'open access' movements including Wikipedia, Open Source, Free Culture, Open Education, Open access journals etc. I am fortunate enough to know some of the team based on Johannesburg, and can attest that this is a group of highly motivated, passionate people, who are too modest to boast about their own brilliance.

This will be the fourth iSummit, a large conference organised all over the world by 2-5 people! The 10 000ft overview of the summit is best described by the commoners themselves:

There will be two keynote sessions each day, featuring confirmed speakers David Wiley of OpenContent fame, FLOSS advocate and researcher, Rishab Ghosh and Wikipedia's Jimmy Wales. Also look forward to community-specific 'labs' and an Academy track for Commons novices, with extra time to connect and chat. Free space has been planned into the programme to accommodate spontaneous connections as they arise - if a group of like-minded Commoners have an idea that they would like to discuss right there and then, we can help to make that happen.

I just read Colin's entry about how The Times have 'partnered' with Google and included a Google search on their website. I though it was quite strange that he used and advertised this with the term 'partnered' over something both easy to do, and many sites have been doing for several years now. My suspicion is that every now and again these "Web 2.0 Journalists" get far too carried away with buzzwords. Although I do think Colin is a sooper guy.

So, I had a quick look at how this magic 'partner' search works. It's quite simple really, you make a call to google.co.za/custom and pass it all the colours you want in the 'cof' var, along with some other miscellaneous junk (the client and channel vars may be some sort of poor authenticator), including the good old 'sitesearch' var.

In December I received an EMV card from my bank in South Africa. I won't mention who they are as this isn't specific to them. In general it has annoyed me, as now I have to type in a PIN, which often necessitates me moving my lazy ass from the table to the waiters pay area and standing around while the steam punk mechanics work themselves out. And, I am *more* liable for fraud on my account.

I'm really enjoying the hype around the firewire hacks, originally presented by Maximillian Dornseif in 2004, breathed new life in 2006 by Adam Boileau and now re-hyping in 2008 thanks to Adam releasing the last bit of scripts to unlock a Windows machine (illegally!, gosh). I think Adam sums this up quite nicely:

Yes, it's a FEATURE, not a bug. It's the Fire in Firewire. Yes, I know this, Microsoft know this. The OHCI-1394 spec knows this. People with firewire ports generally don[']t.

Microsoft have released a bunch of protocol specifications for their proprietry protocols or implementations. Some of the whoppers I've added to my reading list are (in alphabetical order):

• "FrontPage Server Extensions: Website Management Specification" http://msdn2.microsoft.com/en-us/library/cc217914.aspx
• "Firewall and Advanced Security Protocol Specification" http://msdn2.microsoft.com/en-us/library/cc231461.aspx
• "Local Security Authority (Domain Policy) Remote Protocol Specification" http://msdn2.microsoft.com/en-us/library/cc234225.aspx
• "NT LAN Manager (NTLM) Authentication Protocol Specification" http://msdn2.microsoft.com/en-us/library/cc236621.aspx
• "NTLM Over HTTP Protocol Specification" http://msdn2.microsoft.com/en-us/library/cc237488.aspx
• "Remote Desktop Protocol: Basic Connectivity and Graphics Remoting Specification" http://msdn2.microsoft.com/en-us/library/cc240445.aspx
• "Remote Procedure Call Over HTTP Protocol Specification" http://msdn2.microsoft.com/en-us/library/cc243950.aspx
• "Windows Security Health Agent (WSHA) and Windows Security Health Validator (WSHV) Protocol Specification" http://msdn2.microsoft.com/en-us/library/cc251347.aspx
• "Windows Update Services: Client-Server Protocol Specification" http://msdn2.microsoft.com/en-us/library/cc251937.aspx

The items marked in red are for immediate reading. I am particularly excited about the WSUS proposal after my attempts at dissecting it in my masters thesis. This will be good for microsoft in the long run. Yay to the EU.

Heard of the year 2038 unix clock overflow bug? The 30th preversary is at 3am this Saturday. If any of your banks are using 32-bit Unix systems to do 30 year home loan calculation you may soon hear about this.

singe@platform:~$ uname -a
Linux platform 2.6.15-27-server #1 SMP Fri Dec 8 18:43:54 UTC 2006 i686 GNU/Linux
singe@platform:~$ sudo date -u 011903142038.06
Tue Jan 19 03:14:00 UTC 2038
singe@platform:~$ date
Tue Jan 19 05:14:07 SAST 2038
singe@platform:~$ date
Fri Dec 13 22:15:52 SAST 1901

Deloitte has released its security survey's for 2007. Deloitte usually releases several security survey's broken up by industries (see 2006's survey's). So far the following have been released:

• Financial Services (Press Release, PDF-english, PDF-chinese)
• Media & Telecomms (Press Release, PDF)
• Life Sciences (upcoming)
• Consumer Business/Retail (upcoming)

I'm completely biased in publishing any Deloitte information, but I think these are well worth a read.

After Jeremy Clarkson (of Top Gear fame) published his bank details, to prove that identity theft based on the now famous lost British CDs was overblown, he became a victim of identity theft and had 500 pounds fraudulently stolen from his account and deposited to the British Diabetic Association.

While I don't condone the action, it is a bit of a modern day Robin Hood story. Who wants the screen play to "Hackers in Tights"?

I took delivery of the first car I've ever bought today. It is a 'Spirited Green' Mazda 2 1.5 Dynamic, which I have named 'Kuluhlaza' or 'Green' in Zulu. I've never really cared for cars, but both the research and excitement of actually getting it are slowly (very slowly) turning me into a car buff.

I was pleasantly surprised, upon opening my blog reader, that Mikko Hypponen was in Cape Town for the Information Security Forum's 18th annual world congress. He had good things to say about South Africa, a Deloitte talk about Emue (ask me more if you're interested). Kiefness.

Do it, do it now:

• http://xkcd.com/340/
• http://xkcd.com/341/

pdp pointed out Joe Walker's slides on the matter. They are clear and beautiful and I've embedded them below. I think this complements the "Web Hacking 2.0" post quite nicely.

Deloitte has gather together some good climate change resources. If you want some white papers, formal research or the like, this has some good links.