A blog which tries to demystify computer security, point out the half-truths and misinformation which floats around about this subject and hopefully reduce the hype created by semi-informed people. It also has some useful tips from time to time.
First time here? I hope that you find something interesting and useful. Check out the most popular pages or the categories I most frequently post in:
The development of the webhoneypot is back in swing again. We are aiming for the date of May the 15th as the release date for a beta version. A cool new feature which got committed recently is the possibility to “emulate” RFI vulnerabilities.
When a possible RFI attempt has been found, the respective file is fetched
The file is parsed line-by-line and if certain patterns are recognized, predefined text is outputted.
This method is based on the observation that most (automated) RFI attempts begin by inserting a basic script to output system information (like the OS version, PHP version, etc). The emulation tries to find these cases and output something realistically looking enough so that the next stage of the RFI is triggered.
What do you need?
Activating the emulation is rather straight forward – you only need to add the following two lines in your config.local file:
fetch_rfi=1
emulate_rfi=1
The prerequisites for it to function are: (a) the webserver has to have the possibility to make outbund connections and (b) one of the following methods of fetching remote files with PHP needs to be activate: the curl extension, allow_url_fopen or sockets.
Warning! Allowing outbound connections from the webserver lessens its security considerably, so you only should do it on test machines.
Have fun!
PS. A bonus tip: if you set loglevel to at least the value of 4, all requests are written to your logfile, in addition to it being sent to SANS. This can be useful if you yourself are interested in the attempts of the “bad guys” to compromise your security.
From Andy Helsby's Bookmarks: How do I Reset a Dell BIOS Password? – apparently for laptops there is a free (if you live in the USA) number you can call, and after giving the serial number for your laptop, they give a master unlock code. This is cool, but also a reminder that BIOS passwords don’t provide real security.
From the same source: Free PDF to Word converter. I didn’t try it myself, but it is the kind of utility several people have asked me about.
Via 0Kn0ck's Blog: Internet Explorer 8: Anti Spoofing is a Myth – the title is clearly sensationalistic and the subtitle misleadingly worded (intentionally or not): “Broken Status Address Bar Link Integrity”. What it boils down to, is that you can spoof the contents of the status bar via javascript (so not the address bar). While not that problematic (since, lets face it, not that many people look at their status bar or their address bar for that matter), it can be used to make some attacks more believable.
Again from terminal23.net: wisdom from a hacker looking at 50 (warning! the link points to a ~226 MB M4V vide file). Interesting and inspiring. One minor caveat: you might have heard the this talk from other sources.
Using Btrfs with Multiple Devices – very cool. It seems that Btrfs aims to be a contender to ZFS. I would still like to have ZFS in the Linux kernel, but given the licensing discrepancies, I think that it won’t happen (at least in the short term)
Top acts - “top” like utilities for Linux. htop (use it almost daily), iftop (have heeard about it) and iotop (haven’t heard about it). A bonus from the the taint.org comments: atop. Some version of each is available in the Ubuntu repos (not necessarily the most bleeding edge version).
From the xkcd blog: there seems to be somecontroversy regarding the effectiveness of the Dvorak layout. The second link seems to more balanced (even though it is from a “make the switch” side :-)). On a related note: the support in Windows seems to be awful, the layout switching almost randomly :-(. And I didn’t manage to find a typing tutor currently, which shows the layout of the keyboard on the screen.
Via Security4All: Insecure 20 is out – my usual complaints still apply (the articles are somewhat superficial and there are many advertisement), but after all – it is free. One interesting tool it gets mentioned is XProbe2, an application-level fingerprinting tool. There is also a discussion about ISP level filtering, but sadly it is confused with child pornography and other such issues (I would like a discussion – or a sub-discussion – based entirely on the security aspect).
Via the Sunbelt blog: Advertising fraud – how “clever” websites try to convince the sponsors that more ad impressions are shown / clicked than seen actually by the user:
From the Yahoo Pipes blog: YQL (the Yahoo! Query language) – yet an other way to consume data from Yahoo. An interesting experiment and very nice to see companies adopting the concept of free data.
From Monty: Web of Trust – a collaborative way to replicate the functionality of SiteAdvisor. In some way it is more powerful (because it can spot things which are hard to spot automatically – like money mule scams), but in other ways (like adware / spyware / malware) it is questionable if enough people have the know-how to correctly determine if a site is or is not infected (I would fall on the “no” side).
The following link is probably only interesting to my Romanian speaking readers: Salariile reale din industria IT din Romania 2008 – a quick translation of the title: “The real salaries in the IT industry in Romania, 2008”.
From Coding Horror: The Ugly American Programmer – basically the same ideas I outlined earlier: if you want to be a (good) programmer, you have to know English. It is interesting to compare the reactions in the comments (which mostly agree with the premise) with the comments on Scott Hanselman’s post – the later had more disagreeing posts. Different demographic I guess.
From the Random things in IT blog: A couple of free data restore utilities: PhotoRec and TestDisk – and they are open source too! Anyway, if you’ve deleted something you didn’t mean, stop writing to the given partition as soon as possible (and I mean as soon as possible), because otherwise the chances of recovering anything are extremely slim.
My take on it? There is no proof that China is behind this. There are alternative explanations (as the paper correctly points it out on page 47, but I don’t think that most people got that far). The fact that all those government institutions got penetrated only shows that most people don’t get security (even in “high risk” places). Yes, some of the attacks were targeted, but we hear almost daily about your average worm penetrating all kinds of “big” institutions.
A qualm of mine with the report is too secretive: it tries to black out essential parts (no MD5 is given for the files, etc). Also, there are some aspects which make the fact that this was a “professionally run” operation less believable:
From what I’ve seen, the associated GUI only makes it possible to control one machine at a time. This is very ineffective.
They mentioned that one of the first files to be retrieved trough the network was one to contain email addresses. This seems to be indicative of spamming-operation more than an infiltration operation
For a long time I was a believer in the “Perl way” of doing regular expressions and an avid reader of perlre. All other implementations I viewed as a “poor man’s copy” of the one true idea.
However, after reading the Lua Patterns Tutorial, I found it quite enlightening. Even though it is called “patterns” and not “regular expressions”, it is a very similar concept. The very nice touch is that it uses % as escape character rather than \ (like in PCRE). For example, to represent a digit you would say %d instead of \d, a syntax which I suppose is familiar to a larger audience of programmers (everybody who used the printf / scanf family of functions). An excellent idea!
The idea is not new: get a lot of users to view a given webpage, to DDoS the webserver / backend (depending where the bottlenecks are). If I recall correctly, some student asked the visitors of his website to continuously refresh the page of his university and got charged for it.
As many have remarked at the time (a) the university had some weak webservers if it caved to such simple methods and (b) this can be done automatically with Javascript or Flash and would be very hard to track down.
Imagine the following scenario:
The attacker inserts arbitrary Javascript or Flash content on one or more medium-to-high traffic websites. This can be done multiple ways: one can hack into CMS’s and modify the content of the articles to include the code in the articles. There are many vulnerable sites out there. Or, an even simpler solution is to buy placements for Flash banner ads and include the code in them.
The code (a) looks up a DNS name (this makes the attack targetable) (b) launches N “threads” and starts sending requests to the given website
Such attacks would be very hard to diagnose. The requests would come intermittently from a wide range of IP addresses. Even if you could get your hands on such a computer, you couldn’t find the source of the requests easily (it’s not like the computer is infected with a malware you can find by scanning the files on the hard-disk). It can be also very sneaky, randomly executing (or not) or using geotargeting to select a subset of computers. These techniques are already in use by malicious advertisements (“malwertisements”) which are currently used to try to sell you rogue AV products. An other reason which makes finding the source hard, is the fact that AFAIK XMLHttpRequest does not send the referrer header. An other way to get rid of the referrer header is to make the request from a HTTPS site (browsers do not send referrer in this situation to avoid information leakage).
What can you do? Not very much. Prepare for the DDoS. Have a contingency plan (like a backup location in a different IP space and pointing your DNS entry there). You might be able to differentiate the requests from “normal” requests, but even so, the volume of requests can bring down the machine at the TCP level. And please, please secure your website. We have enough unsecured websites already!
Because you can easily follow along with tutorial / trouble shooting guidelines / other documentations. Check out the difference between these two tutorials:
In the first you have to orient yourself after some screenshots. If an error message comes up, it is much less likely that you will find it using a searchengine, because all similar instances will be encoded in pictures. Also, it is much harder to follow along.
Now check out the second case. You can copy-paste directly the commands from the blog. If errors come up, they will probably be present (and searchable) on the Internet, since they are inherently in a textual format.
Q.E.D.
Picture taken from marcman220's photostream with permission (and yes, I know that it is from a Windows CMD. Some command line is better than no command line)
A paper about the state of the databases which store our information in the EU. I skimmed trough it, probably it is more interest to people who are concerned about this aspect.
Advances in HTTP encapsulated payloads – a presentation about Metasploit using outbound connections. Nothing too revolutionary, but a good reminder that just because you only allow outbound HTTP traffic, it doesn’t mean that you are safe.
IE8 has issues with a lot of sites in the restricted zone list – this wouldn’t be an issue, but apparently Spyware S&D uses this method to block sites. While in some sense adding 10 000+ sites is excessive, but in the same time if this worked acceptably with older versions, it is a regression (along the same lines: having a lot of entries in the hosts file – for the same reason – to block certain sites – makes the DNS service spike an 100% for several seconds. as a sidenote Ubuntu doesn’t seem to have this problem :-)).
Solving the This driver is not signed problem – ok, this is bad from a security standpoint. This means that any malware with administrator privileges (which it already must have to install rootkits) can simply do a two-step process to install the rootkit: (a) install its own certificate and (b) install the rootkit. Why not require all drivers to be signed by a central authority? For legal reasons I assume...
Is Windows Forensic Edition Forensically Sound? – yes if you know what settings to change. But for the love of the all mighty: these settings should have been set by default! I know that it is more convenient to have the partitions mounted auto-magically, but then don’t call it “forensic” edition
Protocol coverage metrics – it got me thinking: wouldn’t it be nice to have a formal grammar for the protocols, so that we can check if the implementations conform to them?
Via Slashdot: proof of concept BIOS level rootkit. Since the method to persist from 16 bit mode to already exists, it is probable that it will be included in some targeted attacks.
Dan Kaminsky’s slides from CanSecWest – interesting stuff, as always. I very much liked the method of using faked FTP connections to set up port forwarding at the router.
the_source is a video podcast (vidcast? netcast?) concerned mostly with open source. The show is of high quality and they pride themselves with only using open source software to produce it (they use Cinelerra, now renamed Lumiera which seems to a very nice non-linear video editor for Linux).
Their episodes are high quality, and even if some (read: me :-)) might complain that there are to many audio/video effects, it is just a matter of taste. There are only ~8 episodes out there, so you can go back and watch them all :-). Some interesting episodes I really liked are the interview with Jon "Maddog" Hall and Revenge Of Cinelerra.
Disclaimer: the review is a personal opinion and I do not have any relationship (business or otherwise) with the authors of the show (other than the occasional comments on their blog).
One key aspect of the of the rogue AV/AS/AM products is the fact that they are using scare tactics to sell their "products". However even legitimate products have tendencies to go in this direction, as the two examples below illustrate.
The first example is from a Secunia PSI install. Just to clarify my stance on it: it is a great product and the things said in the notification balloon are 100% true. However, it is still very reminiscent of messages generated by some rogue products trying to sell their products.
I really, truly believed this to be a screenshot of a new rogue AV, especially because quite a few security sites publish screenshots of these products. It was only after a more careful look that I realized what I was looking at: a screenshot of their product. I left a comment on their blogpost advising that the title and screenshot looked very much like a rogue product (kudos for them for allowing comments on the blog), which got deleted :-). It seems that their PR department is one of the many which doesn’t get that on the web the barrier of entry is much lover and big money doesn’t control what is and isn’t said (or at least not that much).
If I’m ranting about user interfaces, here is one more point: why can’t people make the updates automatic, not invasive and separated from new product install? As an example, here is the update dialog box from the FoxIt PDF reader:
Can anyone tell me, just by looking at the dialog, what features I currently have installed and what I should update? I certainly couldn’t! This isn’t just a “fluffy / good to rant about” topic. A recent study from Google found that Firefox users are much more likely to be up-to-date with the latest version, compared to Opera users, and they attributed this to the fact that Mozilla Firefox has a “one-step” update process (effectively you just have to click yes once), while with Opera you must download the new install kit, run it and click trough it.
I’m constantly searching for more efficient ways to write blogposts. Currently I’m using Windows Live Writer in a VirtualBox instance running Windows 7, but I wanted to give ScribeFire a try.
The short version: it had some interesting features, but on the whole it had too many negatives compared to Live Writer to be useful for me. The long version:
The good:
Cross-platform, which means that I wouldn’t be tied to Windows (or some emulation layer)
Can import and edit existing entries from Blogger (Live Writer only knows about the entries you created with it)
It has spellchecking in code-view (Live Writer only has it in the WYSIWYG view)
It doesn’t mangle your HTML when posting. WLW “compresses” it (strips out unnecessary white-space), which might get you a slight performance improvement, but will annoy you to no end if you wish to edit it later.
It can search for pictures directly on Flickr. However, it offers no way for you to comply with the licenses – for example for all the pictures I find imagery for the blog on Flickr using the advanced search and checking the “Only search within Creative Commons-licensed content” option (I also check the “Find content to use commercially” just in case I will monetize at some point this blog)
The bad:
Keyboard shortcuts don’t work on Linux. Even on Windows they work in a limited way: you can’t press for example Ctrl+I twice, once to italicize then again to come back to normal, because the selection is lost after the keypress.
It doesn’t support spellcheck for the title of the post. You can get around this by cutting and pasting the title in the body of the post, but it is still annoying
Editing in WYSIWIG mode produces incredibly atrocious HTML (to be more precise: it produces almost no HTML). It doesn’t even wrap paragraphs in P tags. Comparatively, Live Writer produces quite usable and clean HTML (when I first tried WLW, my fear was that the resulting HTML will be along the lines of the tag-soup created by the “export to html” feature of MS Word – but it is much better.
The categories/tags pane is a pain to use. First of all, I’m quite sure it didn’t import all the tags I use on Blogger, but just a much smaller subset of it. Second of all, it has no filtering capabilities, you have to scroll trough the list. WLW has a nicer (not perfect, but much nicer) quick-filtering feature for the tags.
It doesn’t offer manipulation options for the uploaded images. While this is somewhat understandable (since there is not very much you can do with JS), at least basic resizing (even if it is via the “dumb” method – ie. specifying the width and height for the image tag) would have been nice. Compare this with WLW where I can insert an image which is right aligned, scaled correctly with shadow added, right aligned and linked to the original image in seconds.
ScribeFire mangles the HTML code entered directly! This was one of the biggest drawbacks (combined with the lack of keyboard shortcuts). For example it seems that it doesn’t know about the <code> tag, and in my last post it started converting tag signs into < / >
All in all, WLW is currently a superior product. It has its problems, but they are far less and fewer between than the ones in ScribeFire. This doesn’t mean that I’ve given up on ScribeFire (or on other, alternative blogging tools), but this isn’t the right moment to switch to it.
use strict;
use warnings;
use File::Copy 'move';
my $op = $condition ? \&move : \&link;
# ...
$op->($a, $b);
So, I tried to get it working, but I kept getting the error:
Undefined subroutine &main::link called at linkme.pl line 2.
For move it worked fine. Finally, thanks to the guys and girls on #perl from freenode.net I found the following documentation: perlsub - Overriding Built-in Functions. Amongst other useful things it says that:
Even though it looks like a regular function call, it isn't: you can't take a reference to it, such as the incorrect \&CORE::open might appear to produce.
The conclusion: are many dark corners of Perl, but you can see it as an opportunity to learn :-). The final solution was to wrap link into an anonymous subroutine (the explicit specification of parameters is needed because link is specified explicitly as "sub ($)", so the simpler @_ method doesn't work):
my $op = $condition ? \&move : sub { \&link($_[0], $_[1]) };
Hopefully this will help somebody out by pointing her in the right direction. And here is funny (and relevant to the situation :-p) quote to get you trough the day: "I distrust camels, and anyone else who can go a week without a drink." - Joe E. Lewis
This post will be quite “video-heavy”, so I won’t embed all the videos (because the post would load very hard), rather I will just link to them.
Nate Koechley: "Professional Frontend Engineering" – a good introduction in the topic. Covers progressive enhancements and similar topics. If you are already well-versed in the basics, there isn’t anything particularly new here.
Gopal Venkatesan: "Writing Efficient JavaScript" - interesting micro-benchmarks. The presentation itself is not as clear as it could be (there are also some elemental mistakes like measuring at the microsecond level – measurements for such short timeperiods in modern multi-tasking OSs are almost meaningless). But there are a couple of ideas which might be worth considering.
Ether: Malware Analysis via Hardware Virtualization Extentions – nothing incredibly new (in fact my diploma thesis was very similar to this, the difference being that I patched Qemu to do this – with hardware support this is much faster), but still interesting. There is of course the problem of how much you let the (suspected) malware interact with the “interwebs”? Make it too little, and samples won’t run. Make it too much, and you risk participating in a DDoS attack.
Via the Enterprise Application Whitelisting blog: the Cisco guide to check the validity of IOS images before updating the routers. Their recommendation? Check the MD5! Fail! MD5 is insecure and has been broken several times publicly. I understand that their legacy tools only support MD5, but at least publish the SHA1 (or preferably SHA-256 and SHA-512) sums and give people instructions on how to validate them manually. How often do you update the firmware that this is a burden?
How to blog anonymously (via the Tor blog): Anonymous Blogging with Wordpress & Tor. This can be increasingly important as countries traditionally thought of as “democratic” begin to also severely restrict free speech (see the recent cases in the UK, Australia and New-Zeeland).
Via GlasBlog (sorry for all the non German-speakers):
A central honeypot to collect RFI attempts – this could be improved with mod_proxy, since there is no telling that the automated scanning tool actually follows 3xx redirects (or that it follows them off-site)
The Schnucki project – an other project aimed at watching web-crawlers which collect e-mail addresses
The Enso Launcher – a quick way to launch executables and perform other tasks on your computer. Also, it is free :-)
Why I Sued Google (and Won) – a tale about how somebody disputed the fact that their AdSense got closed in court and got a favorable verdict. Now I never used AdSense (or other ad services), but it is good to know that you might have recourse (of course, if you are outside of the USA, it is an entire other case).
An other reason is that I don’t like black boxes and it is my opinion that all knowledge should be disseminated in the open :-).
So how does the “vaccination” work? (as a sidenote: in the “olden days” – meaning DOS - the idea of “vaccination” was quite common and was based on the idea of emulating the checks which different viruses used to detect if they already infected the system. This quickly became unmanageable, since not all viruses checked for previous infections and some used the same vector but wanted different results. This program however has nothing to do with this method of vaccination.)
There are actually two components to it:
The “immunization” of the computer: this is done by the IniFileMapping feature I also discussed.
The “vaccination” of the USB drives: this is done by creating a folder named “autorun.inf” on the drive. Since folders and files are the same on most file systems, you can’t create a file and a directory with the same name. There is also some additional magic involved: the tool creates a file named lpt1 in the folder named autorun.inf (so you have the structure U:\autorun.inf\lpt1) in which it writes “caacaacaacaacaa” (don’t ask my why, I have no idea – it seems to be gene sequence).
This makes the folder undeletable by conventional tools. The reason is the interaction with compatibility (in DOS LPT1 referred to the printer port, so for compatibility reasons Windows tries to open the printer port whenever you ask for LPT1). For a more detailed description and workarounds which can be used see the section “Cause 5: The file name includes a reserved name in the Win32 name space” in KB320081 from Microsoft. A couple of errors in the announcement:
The announcement claims "USB drives that have been vaccinated cannot be reversed except with a format". This is not actually true, in fact the "vaccination" can be undone as described in the Microsoft KB.
"Panda USB Vaccine currently only works on FAT & FAT32 USB drives" - while this is true, the reason for it is that the program explicitly checks for the given filesystems (possibly because the authors thought that the method works because of quirks in the FAT filesystem, but in fact it works because the compatibility layer in the Win32 API, independent of the underlying FS). Also, on the NTFS filesystem other tricks can be played to create “undeletable” files / folders (like removing all the permissions for the given item, playing with the fact that NTFS is case sensitive – even though case insensivity is emulated by the Win32 API, etc), but none of them is irreversible as the blogpost claims. A possibly irreversible (or more accurately: very hard to reverse) change would be to open the disk directly and much around in the allocation tables / MFT and selectively corrupting it, but this would be very risky.
So there you have it. Nothing too magical and some errors/misunderstanding in the original post. Also, it is quite possible that future malware will look for the “immunization” on USB drives and reverse it.
This is slightly off-topic: a collection (in the form of YouTube playlist) of songs by Hungarian bands (mostly older, because I hate new stuff :-)) which I love and find inspiring. I plan to to a similar playlist for Romanian songs/bands, however I’m not that well versed in the topic as to not to miss some really obvious elements (so probably I will ask for help from my friends).
Luckily, on the Network Security Blog I saw the link to LongURL, which provides the same action for multiple services (in fact I think that they fetch the URL with something like cURL and observe the final destination, so in theory they should be able to support any service) and they provide a REST API. W00t!
PS. This service doesn’t support Shrinkster.com, presumably because they show a click-trough page, rather than sending a 3xx header. I can’t support them with a custom pipe either, because their tracking page needs a POST rather than a GET, and it is also based on the ASP viewstate (so you would need to do a rather complicated dance of fetch the page, get the viewstate and repost it). Offtopic rant: this is what you get for trying to create the “VB 6.0” illusion on the web Microsoft! No leaky abstractions please!
Below you can see the pipe, which is relatively simple:
The code consumes the result of the pipe as JSON and generates the flash object. It is adapted from the original include code. If you wish to use it, you should edit the Yahoo Pipes URL (replace it with your blog URL and the number of tags you wish to show), the text color (on the line with “tcolor”) and possibly the size of the flash. The weird method for constructing the links is necessary because Blogger seems to “muck” with the code otherwise.
If you are reading this in your RSS reader, visit the blog to see it in action.
Update: it seems that the Flash file can't interpret tag names with special symbols in them (like '). Because of this I modified the pipe so that such tags are filtered out. This will result in some top tags not being displayed (if they contain special characters), but I considered this the right solution, because even if they were displayed, clicking on them wouldn't result in anything. Credit goes to Evie for finding this issue.
Update: the S3 instance hosting the flash file and javascript (halotemplates.s3.amazonaws.com) went away (thanks to Soufiane for pointing this out). So I've downloaded the latest version of the WP-Cumulus and uploaded the SWF file from to Google Code. The SWFObject library is also served from there. So to everyone using the old version: please update to the latest code posted above to make it work again. Sorry for the disruption!
Update: The update broke the "clickability" of the links, since it seems that the new SWF file requires absolute URLs for that. This is now fixed in the script above.
Update: Yahoo pipes changed their backend and thus some adjustment was needed in the pipe which was done.
Via Jeremiah Grossman: Detecting browsers which are in incognito mode – Interesting. It is based on the CSS history color hack and works because browsers in incognito mode seem to report all URL’s as not visited, even if the visit occurred in the same session.
From Joanna Rutkowska: Attacking SMM Memory via Intel® CPU Cache Poisoning (link to PDF). Very cool. Basically the Intel CPU cache doesn’t respect the protection of SMM Memory under some conditions and writes back the changes to it (even though it shouldn’t). Nice one!
This is a raw tutorial for installing webhoneypot on a router running OpenWrt. The used version is Kamikaze 8.09 (this can be important because commands change between version). The tutorial is not 100% complete and I will update it in the future when I learn new information.
An other assumption I make is that you have a separate Linux machine. The techniques can be also adapted to Windows, but it is easier on Linux.
The first step is to make more space. Typical routers come equipped with small amount of flash (between 8 and 20MB), which isn't even enough to install all the packages. This means that some kind of external storage needs to employed. In this example I'm assuming that an USB flash drive is used (a hidden assumption also is that the router in question has USB ports - for example some of the older WRT54Gs don't, but ASUS 500 series do).
After logging in with SSH, update the list of packages: opkg update (in version 8.09 the list of packages is kept in RAM, so it needs to refreshed after each reboot)
Following (adapting) the UsbStorageHowto from the OpenWrt wiki, I installed the USB 1.1 and 2.0 modules (surprisingly both types of modules are needed to support USB 1.1 and 2.0 devices - 2.0 doesn't offer compatibility with 1.1) and the ext3 filesystem modules:
opkg install kmod-usb-uhci kmod-usb2 kmod-usb-storage kmod-fs-ext3
# The insmod commands might not be necessary, because I got the message
# "insmod: a module named X already exists" for all of them, but better
# safe than sorry
insmod usbcore
insmod uhci
insmod ehci-hcd
insmod scsi_mod
insmod sd_mod
insmod usb-storage
insmod ext3
Now we format our stick with the ext3 filesystem on the Linux box we have access to. You can do it with a visual tool like gparted, or from the command line:
sudo cfdisk /dev/sdx #delete other partitions and create a Linux partition
mkfs.ext2 -j /dev/sdx1 #make sure to use the correct device :-)
You might also want to consider dedicating part of the stick to swap (since the RAM of the router is also quite limited)
Plug in the stick into the router and mount it:
mkdir /mnt/usbstick
mount /dev/scsi/host0/bus0/target0/lun0/part1 /mnt/usbstick
Now, the following steps can lead to bricking your router, so proceed with care. The basic plan is the following:
Copy over the /usr directory to the stick
Delete the /usr directory from the internal flash
Mount the stick on the /usr directory
Install the packages we need
Copy back the old /usr directory to the internal flash (for safety, if for some reason the flas drive can not be mounted)
This elaborate dance in needed because opkg (the package manager) insists on having X amount of free space on / before starting the install, even if /usr (where the packages will ultimately end up) is mounted from a separate device. opkg does have options which theoretically can work around this problem, however I couldn't use them successfully.
To execute our plan:
mkdir /mnt/usbstick/usr_backup
# these commands will take some time
cp -R /usr/* /mnt/usbstick
cp -R /usr/* /mnt/usbstick/usr_backup
rm -rf /usr/*
umount /mnt/usbstick
mount /dev/scsi/host0/bus0/target0/lun0/part1 /usr
# now install the new packages. a few comments:
# - nano is so that we can do some basic text editing (yeah, vi is too hard for me :-))
# - php5-cli is needed because in the future an update capability will be added to
# the webhoneypot, which will be run from the command line
# - php5-mod-curl - it is possible that this will be a dependency in the future
# - php5-mod-openssl - the updates will be (possibly) done trough SSL in the future
opkg install lighttpd lighttpd-mod-cgi lighttpd-mod-rewrite nano php5 php5-cli \
php5-mod-curl php5-mod-openssl php5-mod-pcre php5-mod-sockets
# now copy back everything to /usr
umount /usr
mount /dev/scsi/host0/bus0/target0/lun0/part1 /mnt/usbstick
cp -R /mnt/usbstick/usr_backup/* /usr/
# and remount the stick again
umount /mnt/usbstick
mount /dev/scsi/host0/bus0/target0/lun0/part1 /usr
Now we have the packages installed. What follows is the fetching of the honeypot code from the repository and its installation to the router.
First we need to fetch the honeypot from the SVN. We could do this on the router (becuase it has a subversion-client package), but unfortunately that package doesn't support the HTTP (WebDAV) protocol (as per the SVN FAQ, SVN implements a plugin system for the different protocols and ra_dav is missing from the package provided by OpenWrt). So we do on the Linux box: svn export http://webhoneypot.googlecode.com/svn/trunk/
We should also prepare two other files on the Linux box, which will be copied over to the router (you could create them on the router, but it is more convenient to do it on the Linux side):
[PHP]
engine = On
short_open_tag = Off
asp_tags = Off
output_buffering = Off
max_execution_time = 5
max_input_time = 60
memory_limit = 8M
error_reporting = E_ALL & ~E_NOTICE
register_globals = Off
post_max_size = 8M
magic_quotes_gpc = Off
magic_quotes_runtime = Off
extension_dir = "./"
enable_dl = Off
cgi.force_redirect = 1
file_uploads = Off
allow_url_fopen = On
allow_url_include = Off
apc.enabled = Off
extension_dir = "/usr/lib/php/"
extension=pcre.so
We set up lighttpd to run PHP scripts using the CGI protocol (FastCGI would be more efficient, but also more complicated). The steps were adapted from this tutorial. The php.ini file is needed for two reasons: first, Perl regex support is not compiled into the PHP binary, so we must load it. Second APC support is compiled into the PHP library, so we must disable it, since it tries to allocate 32M of memory by default, which makes PHP fail, since we have around 20M of memory in total :-). To test that your PHP installation is workin, issue the following command on the router: /usr/bin/php-cgi -v It should output some basic information about PHP (lik version, copyright, etc). If it fails because of the APC cache, it outputs error message like the one described here: [apc-error] apc_shm_create: shmget(0, 8388608, 658) failed: No error. It is possible that the chosen SHM segment size is higher than the operation system allows. Linux has usually a default limit of 32MB per segment.
We copy all the files from the Linux box to the router (in the /usr directory, since it now represents the USB stick):
# on the router:
mkdir /usr/wh
# on the Linux box - replace 192.168.1.1 with your router's IP
scp -r * [email protected]:/usr/wh
# on the router:
mkdir /etc/lighttpd
mv /usr/wh/lighttp.conf /etc/lighttpd
mv /usr/wh/php.ini /usr/bin
# start the webserver
Start the webserver: lighttpd /etc/lighttpd/lighttp.conf Check that everything is working by accessing the address http://192.168.1.1/phpbb/ from you box (where 192.168.1.1 should be replaced with your router's address)
Now configure the honeypot however you wish. The installation document should given you a good start. To edit the configuration file, do nano /usr/wh/etc/config.local. One thing I would suggest is to add loglevel=4 to it, so that the request details are also stored locally.
The next step would be do get a DNS name (from DynDNS for example). This is especially important if you have an IP address which changes from time to time. Also, you should submit the honeypot URL to the search engines. Have fun and please report any bugs or problems on the issue tracker.
Via the Security4All blog: The Untold Story of the World's Biggest Diamond Heist – very cool and a good reminder that you must consider the resources an attacker is willing to invest when you are planning your defense. Bonus points to Wired for having a “full page” option, rather than making you click trough an endless flow of ads.
A fun (an totally addictive :-)) little Flash game: Magnet towers. There are a couple of shortcomings (no pause button, sound is only mutable during the game, sometimes pieces are under the mute button, no concept of multiple lives/level - you always have start from scratch).
From skunkworks with the comment “Asimov would have liked it”:
In fact Asimov recognized long ago that robots which are too similar to humans make us feel uncomfortable. It is better (from a psychological standpoint) to make robots of different form-factors.
McAfee Debuts ‘Combating Threats’ Series – unfortunately it doesn’t seem to offer much more than the descriptions which are already accessible on their site (yes, there are some screenshots in them, but that’s pretty much it).
Via Glasblog: the Anubis sandbox now offers clustering based on behavior – interesting. There are quite a few methods to cluster malware, the problem is to do it in a scalable way (a competitive solution should be able to cope with at least 20 000 samples per day).
Parrot 1.0.0 has been released – if you don’t know, Parrot aims to be a VM implementing multiple dynamic languages, and it also is the main implementation of Perl 6 currently. Speaking of Perl 6, check out the Perl 6 series from Gabor Szabo.
From splitbrain.org comes the link to The hero factory. A fun (an well executed) project, however they don’t specify how and under what license the image can be used. I know that I’m nitpicking here, but I’ve became sensitive to such issues lately. I’ve emailed them (the contact address was also quite hard to find) and suggested to select a version of Creative Commons, however they didn’t respond as of yet.
A similar site is Simpsonize Me. They offer a list of conditions under which the image can be used.
I am a fan of BOINC, which uses distributed computing to solve massive problems (some very serious, like finding a cure to certain types of cancer, others more abstract, like finding prime numbers).
The problem however is ease of use and distribution. You have to (a) know that this software exists and (b) know how to download and install it.
An other option would be to use a platform which is already widely distributed to make the delivery easier. Some of the options would be:
Flash – version 10 has a JIT compiler for the ActionScript part
Javascript – Chrome has a JIT compiler and Firefox 3.5 will hopefully have one (which can already render some 3D in real-time)
Java and Silverlight 2 – they have more advanced JIT compilers, but are not as widely available as the first two options
There is some performance loss when we compare these technologies to native code (up to 90%), but we have at least two factors working in our favor: we can work on a large scale and the performance of these technologies will improve in the future.
Now, it is not all rosy:
The most popular technologies (Flash and Javascript) do not support threading or setting the priority for the process AFAIK. This means that, in order to make the calculation unobtrusive, it must be chunked up into very small pieces (less than 1 second) and insert pauses between them
The computation performed by a single person is very limited, especially if the business model is to place the code on webpages, because the time spent on a webpage is small. This means that the task must be such that it can be chunked up into very small pieces
One company which is making a play for this market is Plura Processing (see also their blog). Disclaimer: I have no relations with the company, I just found their idea interesting. From what I understand, they use Java for the processing part and target pages which have a longer “stay-time” (like pages containing Flash games) and they have a revenue-sharing model with the webpages who embed their applet. Cool!
Via StopBadware.org: BadwareBuster.org removes the beta label and goes live. It is a forum that tries to help people who are struggling with a malware problem, either on their home computer or on their website. What I liked:
Full RSS feed to the site (so that it can be mined for malicious URL's for research purposes :-))
No-fluff interface
When an external link is clicked, it first goes to a warning page
When it first launched it was criticized by some as an attempt to redirect traffic from CasleCops. Now that CastleCops is no more :-(, this shouldn't be an issue. Hopefully the fact that it has some big companies backing it means that it's not going anywhere soon (and that it can withstand any potential DDoS attack launched against it easily). The traffic is quite low at the moment (compared to some bigger forums), but probably it will increase. Finally, here is a short video presenting it (it focuses more on the UI side than the functionality):
PS. A revelation that came to me: how to repetitively execute searches on search engines without getting banned? (to find malicious links for example): you can UsetheirAPI, but you could also use Yahoo Pipes, which includes a Yahoo Search input module and you can get the results conveniently as an RSS feed, PHP structure or JSON (whichever is easier for you to parse).
Fun (curious) fact: all recent (newer than 2006) have ATA commands in them specifically for wiping the data off of them. There are at least two advantages to this method:
It wipes all sectors (including sectors marked as bad by the internal tables)
Installing DokuWiki on a SourceForge account – it seems that SF has some more complex security policies (which is good), but it takes a little command-line kung-fu to install DW (because it needs write access to some directories).
Guaranteeing deletion – an interesting thought-experiment on how to guarantee the fact that a hostile system executes your commands. The proposed solution: make it repeat back the things you have written to it and hope that it doesn’t have enough “off-line” storage to keep it separate from the disk. What I see as a problem: the system could still keep a part of the info in RAM, preserving at least part of the disk. Also, the data must be as random as possible, because otherwise much more can be kept in a smaller space using compression.
Optimizing strlen – an interesting article exploring different low-level optimizations. That said, measure first, optimize second. Or more precisely: set goals first, measure second and optimize third.
A collection of Linux performance measurement related posts:
In Oracle everything is a NUMBER – while this is a nice abstraction, I really hope that there is some optimized code for specific use-cases behind the scene (like INTEGERS), otherwise it seems to be a big waste of performance.
The end-rant about the Ask toolbar – wondered why some people were so touchy about products (big brand-name products!) bundling the Ask toolbar? Read this.
Part 2 for top 10 RDP misconceptions – interesting, but the security part is still marketing blah-blah. Crypto is hard to get right, even if it is “full-blown” and “standard based” (just take a look how the Wii public-key crypto got broken).
Independent Attack Discoveries – why it is infeasible to assume that you can keep vulnerabilities secret. Even for highly technical stuff we have multiple independent parties working on it, so any website vulnerabilities are almost certainly known to multiple parties (many of whom are probably malicious!)
From Roger's Security Blog: how virtualization can hurt you – the virtualized DC synchronized its time with the NTP server, but then it was forced to synchronize with the host, which had the wrong time (BTW, a cool fact: time.windows.com is part of pool.ntp.org! Very good MS!)