Dominic White

This paper wallet is pretty cool. I usually can't stand papercraft as I don't have the patience to cut out lots of tiny little pieces and try and make paper do things it was never supposed to do, just because I feel empower with non-toxic glue. However, this is dead simple (took me about 10 minutes to make) and pretty useful.

The only problem is that it is wide enough for US dollar bills, but not "real world" money. So right now, I'm using it to store all those store cards I don't want to keep in my main wallet. I'll see if I can fire it up in inkscape later and make it larger. There are some great tips in the comments too. Thanks Lifehacker.

* Kaminsky DNS Cache Poisoning Flaw Exploit for Domains
     - Advisory: http://www.caughq.org/exploits/CAU-EX-2008-0003.txt
     - Exploit: http://www.caughq.org/exploits/2008/bailiwicked_domain.rb

* Kaminsky DNS Cache Poisoning Flaw Exploit for Hosts
     - Advisory: http://www.caughq.org/exploits/CAU-EX-2008-0002.txt
     - Exploit: http://www.caughq.org/exploits/2008/bailiwicked_host.rb

The blog entry. The list. It's even on Packetstorm.

I'm not sure my not posting these would limit their distribution in any significant way, and given the detailed breakdown provided us by Matasano, the bad guys could already have a working version. At least we are empowered to test and understand (without waiting for BlackHat).

Yeah! If you were wondering why I wanted to know who discovered SQL injections, it was to nominate a "Pwnie for Mass 0wnage". And it was accepted:

• SQL injection in more than 500,000 web sites

  Discovered by: Rain Forest Puppy back in 1998

  SQL injection attacks are not new, but this year we saw an upsurge in the number of automated attacks against vulnerable websites. Reportedly more than half a million websites were compromised.

Although I see they went all conservative on the numbers (500k, *psccht*). ShadowServer has nearly 500k from the nihaorr1.com injection alone. Anyone with contacts please correct them.

Schneier once proposed a vulnerability life cycle in a Crypto-Gram newsletter. He was wrong. During the time of writing my thesis, there were several important pieces of research no-one had put together to come up with a 'more correct' vulnerability life cycle. Given some recent discussions between Symantec and Verizon, I thought I would provide this is a more accessible format that a previous presentation I did on the subject, so that I could refer to it later.

The benefits of having an understanding of the life cycle, is that it provides a model to 'predict' the behaviour of various role players (e.g. bad guys, vendors and administrators) and understand how that behaviour impact on important parts of the risk management equations such as vulnerability, threat and impact. This is an important building block of any threat model.

The detail after the jump.

Some older versions of SELinux and OpenSSH compiled to support it allow you to log in with an arbitrarily chosen SELinux role. You'll need a valid account, and some fairly undefined conditions, but the attack is:

ssh --l<username>:/<chosen role> <host>

Haven't seen a (potential) stuff up like that since the MIT Kerberos telnet daemon flaw (which was significantly worse). I'd like to think that people who've gone to the effort of setting up SELinux also patch regularly. Source, milw0rm.

I am interested in this because it is dreadfully simple, has some weird implications for how SSH and SELinux interact, and there is scant information about this. Maybe a few more eyes can uncover something.

Disclaimer: I haven't tested this. The author only tested it on a limited subset and it didn't work on up-to-date distros.

Update: Explained my motivations and authority (or lack there of) of the exploit thanks to foobar's comments.

I never remember how to do this, so for my own personal blog-memory:

rsync --partial --progress --rsh="ssh -p <remote ssh port>" <from file> <partially downloaded file>

• The --rsh parameter can contain all of your normal ssh command line-fu such as keys, options, ports etc. (Who runs public ssh on port 22 these days anyway?)
• The <from> and <to> follow the normal SCP format of <username>@<hostname>:<filename> or just <filename> for the local copy.

Rain Forest Puppy (rfp) in a merry Christmas of an article entitled "NT Web Technology Vulnerabilities", published in Phrack Magazine, Volume 8, Issue 54 on December 25th, 1998. He didn't actually call it SQL injection yet, that honour either goes to SANS or Chip Andrews in 2001. Source, Litchfield.

Here's the beginning of his summary, from the section entitled "ODBC and MS SQL server 6.5":

- WHAT'S THE PROBLEM? MS SQL server allows batch commands.

- WHAT'S THAT MEAN? I can do something like:
    SELECT * FROM table WHERE x=1 SELECT * FROM table WHERE y=5
Exactly like that, and it'll work. It will return two record sets, with each set containing the results of the individual SELECT.

- WHAT'S THAT REALLY MEAN? People can possibly piggyback SQL commands into your statements. Let's say you have:
    SELECT * FROM table WHERE x=%%criteria from webpage user%%
Now, what if %%criteria from webpage user%% was equal to:
    SELECT * FROM sysobjects
It would translate to:
    SELECT * FROM table WHERE x=1 SELECT * FROM sysobjects

It's official, I'm going to Black Hat and Defcon this year. I'm very excited. A *huge* thank you to the SensePost guys who are sorting me out only proper. Make sure you go, to, their, training. We've also pulled together a fairly decent Deloitte contingent.

I'll be there from the 29th of July to the 11th of August if all goes off according to plan. Give me a shout if you want to meet up, or if you have invitations to sexy parties.

If you've decided you want to make better coffee, here are my tips for the changes that will yield the biggest results. These aren't comprehensive, just some quick tips for quickly making better coffee.

1. Don't use instant, use proper Arabica grounds.
2. Espresso is the best, then French press, then percolator. A Moka Express or Brikka are quick ways to get into espresso.
3. Use hot milk. This makes a big difference in taste, 30-40s in the microwave should do it. A French Press can be used with hot milk to make decent froth for cappuccino too.
4. Grind your own beans. A grinder is cheap, and freshly grinding your own beans just before you make a cup makes a subtle increase in flavour. Remember to store your beans in an airtight container in a cool dry place (not the fridge).

After 4 years I have finally decided to change my theme. It is very Mac OSX oriented, but I just like it so much. I've also removed a Gig of spam block logs from the DB, so it should be a bit snappier. Finally, I figured out why Google hates me, I somehow didn't run a DB upgrade script on the last blog upgrade, and a ton of links weren't working. They are now.

This will be fun to watch. Dan Kaminsky has sort-of published  not-so-sekret ways to break DNS. Patches have been released to make things more random. "Full" disclosure at BlackHat.

From ISC:

"The method used makes it harder to spoof answers to a resolver by expanding the range of UDP ports from which queries are sent, thereby increasing the variability of parameters in outgoing queries."

I laughed with mirth and glee at the Emergent Chaos comment:

"DJBdns is in fact not affected as DJB had already implemented port randomness even though he didn't know it was an issue."

This means *all* DNS (except DJBdns) is vulnerable, many vendor patches to follow. Although, DNSSEC is the *right* answer.

• CVE
• CERT VU
• Microsoft