Back to Top

Tuesday, March 31, 2009

Updates for Webhoneypot


94480664_8d83414253_b The development of the webhoneypot is back in swing again. We are aiming for the date of May the 15th as the release date for a beta version. A cool new feature which got committed recently is the possibility to “emulate” RFI vulnerabilities.

How does it work (idea taken from the glastopf project):

  • When a possible RFI attempt has been found, the respective file is fetched
  • The file is parsed line-by-line and if certain patterns are recognized, predefined text is outputted.

This method is based on the observation that most (automated) RFI attempts begin by inserting a basic script to output system information (like the OS version, PHP version, etc). The emulation tries to find these cases and output something realistically looking enough so that the next stage of the RFI is triggered.

What do you need?

Activating the emulation is rather straight forward – you only need to add the following two lines in your config.local file:


The prerequisites for it to function are: (a) the webserver has to have the possibility to make outbund connections and (b) one of the following methods of fetching remote files with PHP needs to be activate: the curl extension, allow_url_fopen or sockets.

Warning! Allowing outbound connections from the webserver lessens its security considerably, so you only should do it on test machines.

Have fun!

PS. A bonus tip: if you set loglevel to at least the value of 4, all requests are written to your logfile, in addition to it being sent to SANS. This can be useful if you yourself are interested in the attempts of the “bad guys” to compromise your security.

Picture taken from Cyron's photostream with permission.

Mixed links


From Andy Helsby's  Bookmarks: How do I Reset a Dell BIOS Password? – apparently for laptops there is a free (if you live in the USA) number you can call, and after giving the serial number for your laptop, they give a master unlock code. This is cool, but also a reminder that BIOS passwords don’t provide real security.

From the same source: Free PDF to Word converter. I didn’t try it myself, but it is the kind of utility several people have asked me about.

Via CIO's agree that application security is more important, but network security is more "visible". An important point to keep in mind if you need to justify where you’ve spent the money.

An other example that companies can't secure their sites – and even worse, the security companies which are supposed to help them, have some glaring omissions.

Via 0Kn0ck's Blog: Internet Explorer 8: Anti Spoofing is a Myth – the title is clearly sensationalistic and the subtitle misleadingly worded (intentionally or not): “Broken Status Address Bar Link Integrity”. What it boils down to, is that you can spoof the contents of the status bar via javascript (so not the address bar). While not that problematic (since, lets face it, not that many people look at their status bar or their address bar for that matter), it can be used to make some attacks more believable.

Again from wisdom from a hacker looking at 50 (warning! the link points to a ~226 MB M4V vide file). Interesting and inspiring. One minor caveat: you might have heard the this talk from other sources.

From When you have a lot of traffic, minor optimizations can have big impact.


On the DVLabs blog we have a good explanation of what the recently released !exploitable add-in for WinDbg does: “The rule may ask "Is the faulting instruction a read violation of EIP?". If the answer is yes, it calls it a day and labels it exploitable”. Get the slides for more details (they are in PPTX format, but OpenOffice 3.0 can render them acceptably).

From The Dark Visitor blog: The 2009 Annual Report to Congress on the Military Power of the People’s Republic of China [PDF] has been released by the USA DoD. And they do use the word cyber a couple of time :-)

From the xkcd blog: there seems to be some controversy regarding the effectiveness of the Dvorak layout. The second link seems to more balanced (even though it is from a “make the switch” side :-)). On a related note: the support in Windows seems to be awful, the layout switching almost randomly :-(. And I didn’t manage to find a typing tutor currently, which shows the layout of the keyboard on the screen.

Via Security4All: Insecure 20 is out – my usual complaints still apply (the articles are somewhat superficial and there are many advertisement), but after all – it is free. One interesting tool it gets mentioned is XProbe2, an application-level fingerprinting tool. There is also a discussion about ISP level filtering, but sadly it is confused with child pornography and other such issues (I would like a discussion – or a sub-discussion – based entirely on the security aspect).

An other gloomy security presentation from the Invisible Denizen blog: Common Enterprise Security Weaknesses [PDF].

Again from the Security4All blog: a presentation about social engineering from practitioners. Interesting, unfortunately the sound quality is not very good.

A few links from the Lookup blog (which has the subtitle “Unicode conformance and security testing”):

Via a Slashdot comment: How to disable parts of RAM under Linux which are bad?

From episode 99 of Windows Weekly comes the following video:

Yes, that is Jim Allchin, a former member of the Microsoft Senior Leadership Team.

From the braindump blog:

Via the GSD blog: How to run a batchfile minized – basically it detects if it is already minimized, and if not, respawns itself.

Via the Scale-Out Blog: Eventually consistent – it seems that with distributed systems we need to reconsider quite a lot of our assumptions about the data we can store. It references an interesting paper: Brewer’s conjecture and the feasibility of consistent, available, partition-tolerant web services

Via the Web Axe blog: Accessibility to the Face – why accessibility is important.

Via the Sunbelt blog: Advertising fraud – how “clever” websites try to convince the sponsors that more ad impressions are shown / clicked than seen actually by the user:

From the Yahoo Pipes blog: YQL (the Yahoo! Query language) – yet an other way to consume data from Yahoo. An interesting experiment and very nice to see companies adopting the concept of free data.

From Monty: Web of Trust – a collaborative way to replicate the functionality of SiteAdvisor. In some way it is more powerful (because it can spot things which are hard to spot automatically – like money mule scams), but in other ways (like adware / spyware / malware) it is questionable if enough people have the know-how to correctly determine if a site is or is not infected (I would fall on the “no” side).

The following link is probably only interesting to my Romanian speaking readers: Salariile reale din industria IT din Romania 2008 – a quick translation of the title: “The real salaries in the IT industry in Romania, 2008”.

The Freshman – seems to be a good movie, especially because of Marlon Brando. Speaking of good movies, Das Leben der Anderen is an exceptional movie (worthy of the “German tradition” of Das Experiment and Good-bye Lenin).

From some interesting 8-bit-like music. If you like the genre, you might want to take a look at and the streaming radio station I mentioned some time ago.

From Coding Horror: The Ugly American Programmer – basically the same ideas I outlined earlier: if you want to be a (good) programmer, you have to know English. It is interesting to compare the reactions in the comments (which mostly agree with the premise) with the comments on Scott Hanselman’s post – the later had more disagreeing posts. Different demographic I guess.

A recent SANS diary entry pointed me to RANCID - Really Awesome New Cisco confIg Differ. A very interesting tool to have in your arsenal if you manage Cisco routers.

From Otaku, Cedric's weblog: Do you want to play a game? (and here is the solution). A related article: The Coin Flip: A Fundamentally Unfair Proposition?.

From the Random things in IT blog: A couple of free data restore utilities: PhotoRec and TestDisk – and they are open source too! Anyway, if you’ve deleted something you didn’t mean, stop writing to the given partition as soon as possible (and I mean as soon as possible), because otherwise the chances of recovering anything are extremely slim.

Monday, March 30, 2009



2658532094_10f267bf0e_b The latest security news (hype?) is the discovery of Gh0stNet. Links:

My take on it? There is no proof that China is behind this. There are alternative explanations (as the paper correctly points it out on page 47, but I don’t think that most people got that far). The fact that all those government institutions got penetrated only shows that most people don’t get security (even in “high risk” places). Yes, some of the attacks were targeted, but we hear almost daily about your average worm penetrating all kinds of “big” institutions.

A qualm of mine with the report is too secretive: it tries to black out essential parts (no MD5 is given for the files, etc). Also, there are some aspects which make the fact that this was a “professionally run” operation less believable:

  • From what I’ve seen, the associated GUI only makes it possible to control one machine at a time. This is very ineffective.
  • They mentioned that one of the first files to be retrieved trough the network was one to contain email addresses. This seems to be indicative of spamming-operation more than an infiltration operation

Picture taken Môsieur J.'s photostream with permission.

Friday, March 27, 2009

Alternative regular expression syntax


4400462_78ec99af2c_oFor a long time I was a believer in the “Perl way” of doing regular expressions and an avid reader of perlre. All other implementations I viewed as a “poor man’s copy” of the one true idea.

However, after reading the Lua Patterns Tutorial, I found it quite enlightening. Even though it is called “patterns” and not “regular expressions”, it is a very similar concept. The very nice touch is that it uses % as escape character rather than \ (like in PCRE). For example, to represent a digit you would say %d instead of \d, a syntax which I suppose is familiar to a larger audience of programmers (everybody who used the printf / scanf family of functions). An excellent idea!

Check out the complete reference (or the wiki) for more details.

Picture taken from Uqbar is back's photostream with permission.

Thursday, March 26, 2009

Build a botnet – without infecting end-users


31219031_449e05f104_b The idea is not new: get a lot of users to view a given webpage, to DDoS the webserver / backend (depending where the bottlenecks are). If I recall correctly, some student asked the visitors of his website to continuously refresh the page of his university and got charged for it.

As many have remarked at the time (a) the university had some weak webservers if it caved to such simple methods and (b) this can be done automatically with Javascript or Flash and would be very hard to track down.

Imagine the following scenario:

  • The attacker inserts arbitrary Javascript or Flash content on one or more medium-to-high traffic websites. This can be done multiple ways: one can hack into CMS’s and modify the content of the articles to include the code in the articles. There are many vulnerable sites out there. Or, an even simpler solution is to buy placements for Flash banner ads and include the code in them.
  • The code (a) looks up a DNS name (this makes the attack targetable) (b) launches N “threads” and starts sending requests to the given website

Such attacks would be very hard to diagnose. The requests would come intermittently from a wide range of IP addresses. Even if you could get your hands on such a computer, you couldn’t find the source of the requests easily (it’s not like the computer is infected with a malware you can find by scanning the files on the hard-disk). It can be also very sneaky, randomly executing (or not) or using geotargeting to select a subset of computers. These techniques are already in use by malicious advertisements (“malwertisements”) which are currently used to try to sell you rogue AV products. An other reason which makes finding the source hard, is the fact that AFAIK XMLHttpRequest does not send the referrer header. An other way to get rid of the referrer header is to make the request from a HTTPS site (browsers do not send referrer in this situation to avoid information leakage).

What can you do? Not very much. Prepare for the DDoS. Have a contingency plan (like a backup location in a different IP space and pointing your DNS entry there). You might be able to differentiate the requests from “normal” requests, but even so, the volume of requests can bring down the machine at the TCP level. And please, please secure your website. We have enough unsecured websites already!

Picture taken from 416style's photostream with permission.

Wednesday, March 25, 2009

An other reason for having command line


1034459070_9ce876e4db_bBecause you can easily follow along with tutorial / trouble shooting guidelines / other documentations. Check out the difference between these two tutorials:

In the first you have to orient yourself after some screenshots. If an error message comes up, it is much less likely that you will find it using a searchengine, because all similar instances will be encoded in pictures. Also, it is much harder to follow along.

Now check out the second case. You can copy-paste directly the commands from the blog. If errors come up, they will probably be present (and searchable) on the Internet, since they are inherently in a textual format.


Picture taken from marcman220's photostream with permission (and yes, I know that it is from a Windows CMD. Some command line is better than no command line)

Mixed links


225868856_a0ffef1924_oA paper about the state of the databases which store our information in the EU. I skimmed trough it, probably it is more interest to people who are concerned about this aspect.

Advances in HTTP encapsulated payloads – a presentation about Metasploit using outbound connections. Nothing too revolutionary, but a good reminder that just because you only allow outbound HTTP traffic, it doesn’t mean that you are safe.

IE8 has issues with a lot of sites in the restricted zone list – this wouldn’t be an issue, but apparently Spyware S&D uses this method to block sites. While in some sense adding 10 000+ sites is excessive, but in the same time if this worked acceptably with older versions, it is a regression (along the same lines: having a lot of entries in the hosts file – for the same reason – to block certain sites – makes the DNS service spike an 100% for several seconds. as a sidenote Ubuntu doesn’t seem to have this problem :-)).

Via Security Balance: the Microsoft Azure “cloud” went down for 22 hour because of patching. Last year Amazon EC2 want offline for a couple of hours. On average these services probably have a much better SLA level than 99% of the companies, yet still people point to these incidents as risks...

From the GrandStreamDreams blog:

  • An update to Network Monitor, Microsoft’s version of Wireshark (if you have to install a software, why not use the better product, ie. Wireshark? :-))
  • DD in Windows Forensics [PDF]
  • Solving the This driver is not signed problem – ok, this is bad from a security standpoint. This means that any malware with administrator privileges (which it already must have to install rootkits) can simply do a two-step process to install the rootkit: (a) install its own certificate and (b) install the rootkit. Why not require all drivers to be signed by a central authority? For legal reasons I assume...
  • Is Windows Forensic Edition Forensically Sound? – yes if you know what settings to change. But for the love of the all mighty: these settings should have been set by default! I know that it is more convenient to have the partitions mounted auto-magically, but then don’t call it “forensic” edition

Protocol coverage metrics – it got me thinking: wouldn’t it be nice to have a formal grammar for the protocols, so that we can check if the implementations conform to them?

From Ts'o: Delayed allocation and the zero-length file problem – essentially ext4 changed the commit delay from 5 to 60 seconds, so if your application crashes, though.

The Metasploit performance can be improved considerably by a simple patch – this is really needed, because it is slooow. Also, memory reallocation is slow, no matter in what language you do it.

Via ReverseEngineering Reddit: The Beginners Guide to Codecaves. A nice article. It also talks about TSearch, a useful tool for quickly localizing and editing variables in the applications memory space.

Retro Computing presentation – what you can use an older computer for. has a new design – very Web 2.0 :-)

Via Slashdot: proof of concept BIOS level rootkit. Since the method to persist from 16 bit mode to already exists, it is probable that it will be included in some targeted attacks.

Dan Kaminsky’s slides from CanSecWest – interesting stuff, as always. I very much liked the method of using faked FTP connections to set up port forwarding at the router.

Via (by a comment from Andreas Gohr): Augmented reality via RjDj.

Picture taken from Hamed Saber's photostream with permission.

the_source review


the_source the_source is a video podcast (vidcast? netcast?) concerned mostly with open source. The show is of high quality and they pride themselves with only using open source software to produce it (they use Cinelerra, now renamed Lumiera which seems to a very nice non-linear video editor for Linux).

Their episodes are high quality, and even if some (read: me :-)) might complain that there are to many  audio/video effects, it is just a matter of taste. There are only ~8 episodes out there, so you can go back and watch them all :-). Some interesting episodes I really liked are the interview with Jon "Maddog" Hall and Revenge Of Cinelerra.

You can find a complete list of episodes in different formats here. This also includes streaming Vimeo, so you can watch it in your browser, without having to download it.

Disclaimer: the review is a personal opinion and I do not have any relationship (business or otherwise) with the authors of the show (other than the occasional comments on their blog).

It’s all in the eye of the beholder


One key aspect of the of the rogue AV/AS/AM products is the fact that they are using scare tactics to sell their "products". However even legitimate products have tendencies to go in this direction, as the two examples below illustrate.

The first example is from a Secunia PSI install. Just to clarify my stance on it: it is a great product and the things said in the notification balloon are 100% true. However, it is still very reminiscent of messages generated by some rogue products trying to sell their products.

The second one is from the Authentium blog:


I really, truly believed this to be a screenshot of a new rogue AV, especially because quite a few security sites publish screenshots of these products. It was only after a more careful look that I realized what I was looking at: a screenshot of their product. I left a comment on their blogpost advising that the title and screenshot looked very much like a rogue product (kudos for them for allowing comments on the blog), which got deleted :-). It seems that their PR department is one of the many which doesn’t get that on the web the barrier of entry is much lover and big money doesn’t control what is and isn’t said (or at least not that much).

If I’m ranting about user interfaces, here is one more point: why can’t people make the updates automatic, not invasive and separated from new product install? As an example, here is the update dialog box from the FoxIt PDF reader:


Can anyone tell me, just by looking at the dialog, what features I currently have installed and what I should update? I certainly couldn’t! This isn’t just a “fluffy / good to rant about” topic. A recent study from Google found that Firefox users are much more likely to be up-to-date with the latest version, compared to Opera users, and they attributed this to the fact that Mozilla Firefox has a “one-step” update process (effectively you just have to click yes once), while with Opera you must download the new install kit, run it and click trough it.

Update: added link to the browser study.

ScribeFire review (comparison with Windows Live Writer)


202898518_b5cee052da_o I’m constantly searching for more efficient ways to write blogposts. Currently I’m using Windows Live Writer in a VirtualBox instance running Windows 7, but I wanted to give ScribeFire a try.

The short version: it had some interesting features, but on the whole it had too many negatives compared to Live Writer to be useful for me. The long version:

The good:

  • Cross-platform, which means that I wouldn’t be tied to Windows (or some emulation layer)
  • Open-source
  • Supports blogger
  • Can import and edit existing entries from Blogger (Live Writer only knows about the entries you created with it)
  • It has spellchecking in code-view (Live Writer only has it in the WYSIWYG view)
  • It doesn’t mangle your HTML when posting. WLW “compresses” it (strips out unnecessary white-space), which might get you a slight performance improvement, but will annoy you to no end if you wish to edit it later.
  • It can search for pictures directly on Flickr. However, it offers no way for you to comply with the licenses – for example for all the pictures I find imagery for the blog on Flickr using the advanced search and checking the “Only search within Creative Commons-licensed content” option (I also check the “Find content to use commercially” just in case I will monetize at some point this blog)

The bad:

  • Keyboard shortcuts don’t work on Linux. Even on Windows they work in a limited way: you can’t press for example Ctrl+I twice, once to italicize then again to come back to normal, because the selection is lost after the keypress.
  • It doesn’t support spellcheck for the title of the post. You can get around this by cutting and pasting the title in the body of the post, but it is still annoying
  • Editing in WYSIWIG mode produces incredibly atrocious HTML (to be more precise: it produces almost no HTML). It doesn’t even wrap paragraphs in P tags. Comparatively, Live Writer produces quite usable and clean HTML (when I first tried WLW, my fear was that the resulting HTML will be along the lines of the tag-soup created by the “export to html” feature of MS Word – but it is much better.
  • The categories/tags pane is a pain to use. First of all, I’m quite sure it didn’t import all the tags I use on Blogger, but just a much smaller subset of it. Second of all, it has no filtering capabilities, you have to scroll trough the list. WLW has a nicer (not perfect, but much nicer) quick-filtering feature for the tags.
  • It doesn’t offer manipulation options for the uploaded images. While this is somewhat understandable (since there is not very much you can do with JS), at least basic resizing (even if it is via the “dumb” method – ie. specifying the width and height for the image tag) would have been nice. Compare this with WLW where I can insert an image which is right aligned, scaled correctly with shadow added, right aligned and linked to the original image in seconds.
  • ScribeFire mangles the HTML code entered directly! This was one of the biggest drawbacks (combined with the lack of keyboard shortcuts). For example it seems that it doesn’t know about the <code> tag, and in my last post it started converting tag signs into &lt; / &gt;

All in all, WLW is currently a superior product. It has its problems, but they are far less and fewer between than the ones in ScribeFire. This doesn’t mean that I’ve given up on ScribeFire (or on other, alternative blogging tools), but this isn’t the right moment to switch to it.

Picture taken from La case photo de Got's photostream with permission.

Function references in Perl


A friend asked me how to do the following:

use strict;
use warnings;
use File::Copy 'move';

my $op = $condition ? \&move : \&link;
# ...
$op->($a, $b);

So, I tried to get it working, but I kept getting the error:

Undefined subroutine &main::link called at line 2.

For move it worked fine. Finally, thanks to the guys and girls on #perl from I found the following documentation: perlsub - Overriding Built-in Functions. Amongst other useful things it says that:

Even though it looks like a regular function call, it isn't: you can't take a reference to it, such as the incorrect \&CORE::open might appear to produce.

The conclusion: are many dark corners of Perl, but you can see it as an opportunity to learn :-). The final solution was to wrap link into an anonymous subroutine (the explicit specification of parameters is needed because link is specified explicitly as "sub ($)", so the simpler @_ method doesn't work):

my $op = $condition ? \&move : sub { \&link($_[0], $_[1]) };

Hopefully this will help somebody out by pointing her in the right direction. And here is funny (and relevant to the situation :-p) quote to get you trough the day: "I distrust camels, and anyone else who can go a week without a drink." - Joe E. Lewis

Picture taken from Neil Carey's photostream with permission.

Tuesday, March 24, 2009

Mixed links


2300956157_971108d150_oThis post will be quite “video-heavy”, so I won’t embed all the videos (because the post would load very hard), rather I will just link to them.

Nate Koechley: "Professional Frontend Engineering" – a good introduction in the topic. Covers progressive enhancements and similar topics. If you are already well-versed in the basics, there isn’t anything particularly new here.

Gopal Venkatesan: "Writing Efficient JavaScript"  - interesting micro-benchmarks. The presentation itself is not as clear as it could be (there are also some elemental mistakes like measuring at the microsecond level – measurements for such short timeperiods in modern multi-tasking OSs are almost meaningless). But there are a couple of ideas which might be worth considering.

Nicholas Zakas: "Maintainable JavaScript" – the title says it all :-)

Attacking Layer 8: Client-Side Penetration Testing SOURCE Boston Edition – good presentation about the client-side capabilities of Metasploit (“user assisted exploitation” :-)). As a related note: on the Techie working in a corporate world blog you can find a lot of Metasploit scripts, which is encouraging seeing how I ranted about the fact that all the tutorials are videos.

Ether: Malware Analysis via Hardware Virtualization Extentions – nothing incredibly new (in fact my diploma thesis was very similar to this, the difference being that I patched Qemu to do this – with hardware support this is much faster), but still interesting. There is of course the problem of how much you let the (suspected) malware interact with the “interwebs”? Make it too little, and samples won’t run. Make it too much, and you risk participating in a DDoS attack.

Via the Enterprise Application Whitelisting blog: the Cisco guide to check the validity of IOS images before updating the routers. Their recommendation? Check the MD5! Fail! MD5 is insecure and has been broken several times publicly. I understand that their legacy tools only support MD5, but at least publish the SHA1 (or preferably SHA-256 and SHA-512) sums and give people instructions on how to validate them manually. How often do you update the firmware that this is a burden?

From a musical ad from FTC instructing people on how to verify their credit reports and avoid falling for fake sites.

Via glasblog: The 2009 Google Summer of Code ideas from The Honeynet Project have been announced. If you’re a student, check it out and make some good money (4500 USD AFAIK).

From How to merge a ramdrive and physical drive under Linux, so that the data overflows to the physical drive when the ramdrive is full. Interesting.

How to blog anonymously (via the Tor blog): Anonymous Blogging with Wordpress & Tor. This can be increasingly important as countries traditionally thought of as “democratic” begin to also severely restrict free speech (see the recent cases in the UK, Australia and New-Zeeland).

From the Security4All blog: EFF Re-Launches Legal Guide for Bloggers. See the complete list of questions. While mainly (only) applies if you are in the USA, it is a good idea for all of us to look trough it. For a more international version see How to avoid libel and defamation from the BBC. It is quite chilling to read trough these texts, as they are a reminder of the fact that law and justice are two separate things.

Via GlasBlog (sorry for all the non German-speakers):

  • A central honeypot to collect RFI attempts – this could be improved with mod_proxy, since there is no telling that the automated scanning tool actually follows 3xx redirects (or that it follows them off-site)
  • The Schnucki project – an other project aimed at watching web-crawlers which collect e-mail addresses

The Enso Launcher – a quick way to launch executables and perform other tasks on your computer. Also, it is free :-)

From Linux 2.6.29 has been released and it can cause a performance hit if you don't watch the settings.

From absoblogginlutely's Bookmarks on Delicious: 10 things you should know about connecting Macintosh OS X systems to Windows networks – they are mostly Samba related, so you can look at them also from a Linux perspective.

Why I Sued Google (and Won) – a tale about how somebody disputed the fact that their AdSense got closed in court and got a favorable verdict. Now I never used AdSense (or other ad services), but it is good to know that you might have recourse (of course, if you are outside of the USA, it is an entire other case).

Picture taken from Tony the Misfit's photostream with permission.

How does the Panda USB vaccination work?


47022668_c03c3a6bf4_b I stumbled on the Panda USB and AutoRun Vaccine on the Panda Research blog and it peaked my interest because autorun-based malware is very wide-spread these days and also because I’ve written extensively about the topic.

An other reason is that I don’t like black boxes and it is my opinion that all knowledge should be disseminated in the open :-).

So how does the “vaccination” work? (as a sidenote: in the “olden days” – meaning DOS - the idea of “vaccination” was quite common and was based on the idea of emulating the checks which different viruses used to detect if they already infected the system. This quickly became unmanageable, since not all viruses checked for previous infections and some used the same vector but wanted different results. This program however has nothing to do with this method of vaccination.)

There are actually two components to it:

  • The “immunization” of the computer: this is done by the IniFileMapping feature I also discussed.
  • The “vaccination” of the USB drives: this is done by creating a folder named “autorun.inf” on the drive. Since folders and files are the same on most file systems, you can’t create a file and a directory with the same name. There is also some additional magic involved: the tool creates a file named lpt1 in the folder named autorun.inf (so you have the structure U:\autorun.inf\lpt1) in which it writes “caacaacaacaacaa” (don’t ask my why, I have no idea – it seems to be gene sequence).

    This makes the folder undeletable by conventional tools. The reason is the interaction with compatibility (in DOS LPT1 referred to the printer port, so for compatibility reasons Windows tries to open the printer port whenever you ask for LPT1). For a more detailed description and workarounds which can be used see the section “Cause 5: The file name includes a reserved name in the Win32 name space” in KB320081 from Microsoft. A couple of errors in the announcement:

    • The announcement claims "USB drives that have been vaccinated cannot be reversed except with a format". This is not actually true, in fact the "vaccination" can be undone as described in the Microsoft KB.
    • "Panda USB Vaccine currently only works on FAT & FAT32 USB drives" - while this is true, the reason for it is that the program explicitly checks for the given filesystems (possibly because the authors thought that the method works because of quirks in the FAT filesystem, but in fact it works because the compatibility layer in the Win32 API, independent of the underlying FS). Also, on the NTFS filesystem other tricks can be played to create “undeletable” files / folders (like removing all the permissions for the given item, playing with the fact that NTFS is case sensitive – even though case insensivity is emulated by the Win32 API, etc), but none of them is irreversible as the blogpost claims. A possibly irreversible (or more accurately: very hard to reverse) change would be to open the disk directly and much around in the allocation tables / MFT and selectively corrupting it, but this would be very risky.

So there you have it. Nothing too magical and some errors/misunderstanding in the original post. Also, it is quite possible that future malware will look for the “immunization” on USB drives and reverse it.

Picture taken from Clearly Ambiguous' photostream with permission.

Music from Hungary


This is slightly off-topic: a collection (in the form of YouTube playlist) of songs by Hungarian bands (mostly older, because I hate new stuff :-)) which I love and find inspiring. I plan to to a similar playlist for Romanian songs/bands, however I’m not that well versed in the topic as to not to miss some really obvious elements (so probably I will ask for help from my friends).

Enjoy (or skip it if you are not interested).

Update to the DeShortify Pipe


101362266_fc1a043594_bA while ago I created  a pipe to transform short URL's in their longer versions. However the pipe itself was rather complicated and required a modification for each new service to be supported.

Luckily, on the Network Security Blog I saw the link to LongURL, which provides the same action for multiple services (in fact I think that they fetch the URL with something like cURL and observe the final destination, so in theory they should be able to support any service) and they provide a REST API. W00t!

So, I created an updated, simplified version of the DeShortify pipe and modified my Twitter Content pipe to use this instead (if you currently us the Twitter Content pipe, there is no need to change anything at your end).

PS. This service doesn’t support, presumably because they show a click-trough page, rather than sending a 3xx header. I can’t support them with a custom pipe either, because their tracking page needs a POST rather than a GET, and it is also based on the ASP viewstate (so you would need to do a rather complicated dance of fetch the page, get the viewstate and repost it). Offtopic rant: this is what you get for trying to create the “VB 6.0” illusion on the web Microsoft! No leaky abstractions please!

Picture taken from [niv]'s photostream with permission.

Blogger tag cloud


Some time ago I experimented with the Cumulus plugin for Blogger, but concluded that I had so many tags (probably a sign of ADD :-)) that the only thing it did, was to transform your computer into a heater, by keeping the processor at 100%. So, I created a Yahoo Pipe which extracts the top N tags and modified the source code for the embedding to use it.

Below you can see the pipe, which is relatively simple:


The code consumes the result of the pipe as JSON and generates the flash object. It is adapted from the original include code. If you wish to use it, you should edit the Yahoo Pipes URL (replace it with your blog URL and the number of tags you wish to show), the text color (on the line with “tcolor”) and possibly the size of the flash. The weird method for constructing the links is necessary because Blogger seems to “muck” with the code otherwise.

<div id="tagCloudContainer"></div>
<script type="text/javascript">
var tagCloud = {
  'storeCloud' : function (obj) {
    var baseUrl = location.protocol + "//" +;
    var cloud = '';
    for (var i in obj.value.items) {
      cloud += "<" + "a " + "href='" + baseUrl + "/search/label/" + obj.value.items[i].title + "' style='8'>" + obj.value.items[i].title + '<' + '/a>';
    cloud += '<' + '/tags>';    
    tagCloud.cloudTags = cloud;
    setTimeout(tagCloud.renderTagcloudCallback, 100);
  'renderTagcloudCallback' : function () {  
    try {
      swfobject.embedSWF('', 'tagCloudContainer', '230', '240', '7', '',
        { 'tcolor' : '0x666633', 'mode' : 'tags', 'distr' : 'true', 'tspeed' : '100', 'tagcloud' : tagCloud.cloudTags },
        { 'wmode' : 'transparent', 'allowScriptAccess' : 'always' });      
    } catch (err) {
      setTimeout(tagCloud.renderTagcloudCallback, 100);
  'init' : function () {
    var script = document.createElement('script');
    script.src = '';
    script = document.createElement('script');
    script.src = '';
    return this;

If you are reading this in your RSS reader, visit the blog to see it in action.

Update: it seems that the Flash file can't interpret tag names with special symbols in them (like '). Because of this I modified the pipe so that such tags are filtered out. This will result in some top tags not being displayed (if they contain special characters), but I considered this the right solution, because even if they were displayed, clicking on them wouldn't result in anything. Credit goes to Evie for finding this issue.

Update: the S3 instance hosting the flash file and javascript ( went away (thanks to Soufiane for pointing this out). So I've downloaded the latest version of the WP-Cumulus and uploaded the SWF file from to Google Code. The SWFObject library is also served from there. So to everyone using the old version: please update to the latest code posted above to make it work again. Sorry for the disruption!

Update: The update broke the "clickability" of the links, since it seems that the new SWF file requires absolute URLs for that. This is now fixed in the script above.

Update: Yahoo pipes changed their backend and thus some adjustment was needed in the pipe which was done.

Friday, March 20, 2009

Mixed links


112951883_9d4b395b26_b An analisys of the C variant of Conficker

Via Jeremiah Grossman: Detecting browsers which are in incognito mode – Interesting. It is based on the CSS history color hack and works because browsers in incognito mode seem to report all URL’s as not visited, even if the visit occurred in the same session.

From Joanna Rutkowska: Attacking SMM Memory via Intel® CPU Cache Poisoning (link to PDF). Very cool. Basically the Intel CPU cache doesn’t respect the protection of SMM Memory under some conditions and writes back the changes to it (even though it shouldn’t). Nice one!

From zillablog: The web IN your database – it muses on how Yahoo Pipes could be compared to a relational database. It also references a 2007 article Yahoo! Pipes and The Web As Database – hmm, I find the comparison with Microsoft Access objectionable :-)

From Reddit Reverse Engineering come the following links:

The first three are from the uCon conference. You can check out the other slides here.

From The Old New Thing: Defense in depth means that you protect against exploits that don't exist yet

Picture taken from quinn.anya's photostream with permission.

Installing the webhoneypot on OpenWrt


3238690716_5f9771a8c0_o This is a raw tutorial for installing webhoneypot on a router running OpenWrt. The used version is Kamikaze 8.09 (this can be important because commands change between version). The tutorial is not 100% complete and I will update it in the future when I learn new information.

An other assumption I make is that you have a separate Linux machine. The techniques can be also adapted to Windows, but it is easier on Linux.

The first step is to make more space. Typical routers come equipped with small amount of flash (between 8 and 20MB), which isn't even enough to install all the packages. This means that some kind of external storage needs to employed. In this example I'm assuming that an USB flash drive is used (a hidden assumption also is that the router in question has USB ports - for example some of the older WRT54Gs don't, but ASUS 500 series do).

  • After logging in with SSH, update the list of packages: opkg update (in version 8.09 the list of packages is kept in RAM, so it needs to refreshed after each reboot)
  • Following (adapting) the UsbStorageHowto from the OpenWrt wiki, I installed the USB 1.1 and 2.0 modules (surprisingly both types of modules are needed to support USB 1.1 and 2.0 devices - 2.0 doesn't offer compatibility with 1.1) and the ext3 filesystem modules:
    opkg install kmod-usb-uhci kmod-usb2 kmod-usb-storage kmod-fs-ext3
    # The insmod commands might not be necessary, because I got the message
    # "insmod: a module named X already exists" for all of them, but better
    # safe than sorry
    insmod usbcore
    insmod uhci
    insmod ehci-hcd
    insmod scsi_mod
    insmod sd_mod
    insmod usb-storage
    insmod ext3
  • Now we format our stick with the ext3 filesystem on the Linux box we have access to. You can do it with a visual tool like gparted, or from the command line:
    sudo cfdisk /dev/sdx   #delete other partitions and create a Linux partition
    mkfs.ext2 -j /dev/sdx1 #make sure to use the correct device :-)
    You might also want to consider dedicating part of the stick to swap (since the RAM of the router is also quite limited)
  • Plug in the stick into the router and mount it:
    mkdir /mnt/usbstick
    mount /dev/scsi/host0/bus0/target0/lun0/part1 /mnt/usbstick
  • Now, the following steps can lead to bricking your router, so proceed with care. The basic plan is the following:
    • Copy over the /usr directory to the stick
    • Delete the /usr directory from the internal flash
    • Mount the stick on the /usr directory
    • Install the packages we need
    • Copy back the old /usr directory to the internal flash (for safety, if for some reason the flas drive can not be mounted)
    This elaborate dance in needed because opkg (the package manager) insists on having X amount of free space on / before starting the install, even if /usr (where the packages will ultimately end up) is mounted from a separate device. opkg does have options which theoretically can work around this problem, however I couldn't use them successfully.
  • To execute our plan:
    mkdir /mnt/usbstick/usr_backup
    # these commands will take some time
    cp -R /usr/* /mnt/usbstick
    cp -R /usr/* /mnt/usbstick/usr_backup
    rm -rf /usr/*
    umount /mnt/usbstick
    mount /dev/scsi/host0/bus0/target0/lun0/part1 /usr
    # now install the new packages. a few comments:
    # - nano is so that we can do some basic text editing (yeah, vi is too hard for me :-))
    # - php5-cli is needed because in the future an update capability will be added to
    #   the webhoneypot, which will be run from the command line
    # - php5-mod-curl - it is possible that this will be a dependency in the future
    # - php5-mod-openssl - the updates will be (possibly) done trough SSL in the future
    opkg install lighttpd lighttpd-mod-cgi lighttpd-mod-rewrite nano php5 php5-cli \
    	php5-mod-curl php5-mod-openssl php5-mod-pcre php5-mod-sockets
    # now copy back everything to /usr
    umount /usr
    mount /dev/scsi/host0/bus0/target0/lun0/part1 /mnt/usbstick
    cp -R /mnt/usbstick/usr_backup/* /usr/
    # and remount the stick again
    umount /mnt/usbstick
    mount /dev/scsi/host0/bus0/target0/lun0/part1 /usr

Now we have the packages installed. What follows is the fetching of the honeypot code from the repository and its installation to the router.

  • First we need to fetch the honeypot from the SVN. We could do this on the router (becuase it has a subversion-client package), but unfortunately that package doesn't support the HTTP (WebDAV) protocol (as per the SVN FAQ, SVN implements a plugin system for the different protocols and ra_dav is missing from the package provided by OpenWrt). So we do on the Linux box: svn export
  • We should also prepare two other files on the Linux box, which will be copied over to the router (you could create them on the router, but it is more convenient to do it on the Linux side):


    server.modules              = ("mod_rewrite", "mod_cgi")
    server.document-root       = "/usr/wh/html/"
    server.upload-dirs = ( "/tmp/" )
    server.errorlog            = "/usr/wh/logs/lighttpd_error.log"
    index-file.names           = ( "index.php", "index.html",
    static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )
    server.port               = 80
    server.bind                = ""            = "/var/run/"
    dir-listing.encoding        = "utf-8"
    server.dir-listing          = "disable"
    url.rewrite-once = ( "^/(.*)$" => "/index.php/$1" )
    cgi.assign = ( ".php" => "/usr/bin/php-cgi" )
    # debug.log-request-handling = "enable"


    engine = On
    short_open_tag = Off
    asp_tags = Off
    output_buffering = Off
    max_execution_time = 5
    max_input_time = 60
    memory_limit = 8M
    error_reporting  =  E_ALL & ~E_NOTICE
    register_globals = Off
    post_max_size = 8M
    magic_quotes_gpc = Off
    magic_quotes_runtime = Off
    extension_dir = "./"
    enable_dl = Off
    cgi.force_redirect = 1
    file_uploads = Off
    allow_url_fopen = On
    allow_url_include = Off
    apc.enabled = Off
    extension_dir = "/usr/lib/php/"

    We set up lighttpd to run PHP scripts using the CGI protocol (FastCGI would be more efficient, but also more complicated). The steps were adapted from this tutorial. The php.ini file is needed for two reasons: first, Perl regex support is not compiled into the PHP binary, so we must load it. Second APC support is compiled into the PHP library, so we must disable it, since it tries to allocate 32M of memory by default, which makes PHP fail, since we have around 20M of memory in total :-). To test that your PHP installation is workin, issue the following command on the router: /usr/bin/php-cgi -v It should output some basic information about PHP (lik version, copyright, etc). If it fails because of the APC cache, it outputs error message like the one described here: [apc-error] apc_shm_create: shmget(0, 8388608, 658) failed: No error. It is possible that the chosen SHM segment size is higher than the operation system allows. Linux has usually a default limit of 32MB per segment.

  • We copy all the files from the Linux box to the router (in the /usr directory, since it now represents the USB stick):
    # on the router:
    mkdir /usr/wh
    # on the Linux box - replace with your router's IP
    scp -r * [email protected]:/usr/wh
    # on the router:
    mkdir /etc/lighttpd
    mv /usr/wh/lighttp.conf /etc/lighttpd
    mv /usr/wh/php.ini /usr/bin
    # start the webserver
  • Start the webserver: lighttpd /etc/lighttpd/lighttp.conf Check that everything is working by accessing the address from you box (where should be replaced with your router's address)
  • Now configure the honeypot however you wish. The installation document should given you a good start. To edit the configuration file, do nano /usr/wh/etc/config.local. One thing I would suggest is to add loglevel=4 to it, so that the request details are also stored locally.
  • The next step would be do get a DNS name (from DynDNS for example). This is especially important if you have an IP address which changes from time to time. Also, you should submit the honeypot URL to the search engines. Have fun and please report any bugs or problems on the issue tracker.

Picture taken from mightyohm's photostream with permission.

Thursday, March 19, 2009

Mixed links


From Online finance flaw: At least AIG got this one right – a good example (finally!) on how to handle vulnerability reports.

Via the Security4All blog: The Untold Story of the World's Biggest Diamond Heist – very cool and a good reminder that you must consider the resources an attacker is willing to invest when you are planning your defense. Bonus points to Wired for having a “full page” option, rather than making you click trough an endless flow of ads.

Slides about Metadata and GPS Tracking have been posted to PaulDotCom. They make an interesting read.

Via the F-Secure weblog: Evil searching whitepaper – this means that the webhoneypot will be able to collect relevant data. Two other papers about similar topics: Dissecting Web Attacks [PDF from Blackhat DC 2009] and Inside the Malicious World of Blog [PDF].

On The Old New Thing one can read about the problems with updating drivers using Windows Update. What can I say? One more reason to go open-source: because it gives you the right to redistribute.

From vvvv - “vvvv is a toolkit for real time video synthesis”. And, it is written in Delphi :-)

Differences between IE8 Compatibility View and IE7 – interesting (also the debates in the comment). On a related note: Microsoft claims that IE8 is often faster in loading pages than other browsers – while I don’t dispute their claims, the fact is that the delay between pressing Ctrl+T and the new tab being created is still so big compared to any other browser that it is annoying (you can’t just Ctrl+T and start typing).

From the ESET Threat Blog: When is a Hoax not a Hoax? Plus points for mentioning, the ultimate source to debunk stupid chain letters.

From InfoSec World 2009 - Total Browser Pwnag3 Slides – scary (embedded below of the readers convenience)

Continuing with scary stuff, here is part 1 and part 2 of “A Case Study in Restore Nightmares” from the Evil Fish blog. This is the level for small and big companies. In the same spirit from terminal23 we have The Company that Did Everything Wrong (part 2).

From comes a link to Reverse Engineering Reddit. Added to my RSS reader :-) Current favorite post: Public service announcement: the anti-virus industry does not write malware. If you think that they do, you are wrong. Please stop perpetuating this stupid myth – thank you.

A fun (an totally addictive :-)) little Flash game: Magnet towers. There are a couple of shortcomings (no pause button, sound is only mutable during the game, sometimes pieces are under the mute button, no concept of multiple lives/level - you always have start from scratch).

From skunkworks with the comment “Asimov would have liked it”:

In fact Asimov recognized long ago that robots which are too similar to humans make us feel uncomfortable. It is better (from a psychological standpoint) to make robots of different form-factors.

McAfee Debuts ‘Combating Threats’ Series – unfortunately it doesn’t seem to offer much more than the descriptions which are already accessible on their site (yes, there are some screenshots in them, but that’s pretty much it).

Via Glasblog: the Anubis sandbox now offers clustering based on behavior – interesting. There are quite a few methods to cluster malware, the problem is to do it in a scalable way (a competitive solution should be able to cope with at least 20 000 samples per day).

On the DVLabs blog we have Pwn2Own 2009 Day 1 - Safari, Internet Explorer, and Firefox Taken Down by Four Zero-Day Exploits – frightening.

On the Microsoft Security Research & Defense blog we have the GS cookie protection – effectiveness and limitations – it is a very nice explanation of when stack canaries can and can not help.

Parrot 1.0.0 has been released – if you don’t know, Parrot aims to be a VM implementing multiple dynamic languages, and it also is the main implementation of Perl 6 currently. Speaking of Perl 6, check out the Perl 6 series from Gabor Szabo.

From the Virtual PC Guy’s weblog comes When not to run Antivirus on the host machine. A nice complementing article is Whitelisting in Control Systems, which links to a short whitepaper from Coretrace. Of course there are problems with whitelisting too, but in static environments (like the navy or ATM machines) it is a much better option than blacklisting.

From comes the link to The hero factory. A fun (an well executed) project, however they don’t specify how and under what license the image can be used. I know that I’m nitpicking here, but I’ve became sensitive to such issues lately. I’ve emailed them (the contact address was also quite hard to find) and suggested to select a version of Creative Commons, however they didn’t respond as of yet.

A similar site is Simpsonize Me. They offer a list of conditions under which the image can be used.

MMassively Parallel Computing :-)


3300471106_5aed8bed99_oI am a fan of BOINC, which uses distributed computing to solve massive problems (some very serious, like finding a cure to certain types of cancer, others more abstract, like finding prime numbers).

The problem however is ease of use and distribution. You have to (a) know that this software exists and (b) know how to download and install it.

An other option would be to use a platform which is already widely distributed to make the delivery easier. Some of the options would be:

  • Flash – version 10 has a JIT compiler for the ActionScript part
  • Javascript – Chrome has a JIT compiler and Firefox 3.5 will hopefully have one (which can already render some 3D in real-time)
  • Java and Silverlight 2 – they have more advanced JIT compilers, but are not as widely available as the first two options

There is some performance loss when we compare these technologies to native code (up to 90%), but we have at least two factors working in our favor: we can work on a large scale and the performance of these technologies will improve in the future.

Now, it is not all rosy:

  • The most popular technologies (Flash and Javascript) do not support threading or setting the priority for the process AFAIK. This means that, in order to make the calculation unobtrusive, it must be chunked up into very small pieces (less than 1 second) and insert pauses between them
  • The computation performed by a single person is very limited, especially if the business model is to place the code on webpages, because the time spent on a webpage is small. This means that the task must be such that it can be chunked up into very small pieces

One company which is making a play for this market is Plura Processing (see also their blog). Disclaimer: I have no relations with the company, I just found their idea interesting. From what I understand, they use Java for the processing part and target pages which have a longer “stay-time” (like pages containing Flash games) and they have a revenue-sharing model with the webpages who embed their applet. Cool!

Picture taken from Shahram Sharif's photostream with permission.

Wednesday, March 18, 2009 goes live


Via removes the beta label and goes live. It is a forum that tries to help people who are struggling with a malware problem, either on their home computer or on their website. What I liked:

  • Full RSS feed to the site (so that it can be mined for malicious URL's for research purposes :-))
  • No-fluff interface
  • When an external link is clicked, it first goes to a warning page

When it first launched it was criticized by some as an attempt to redirect traffic from CasleCops. Now that CastleCops is no more :-(, this shouldn't be an issue. Hopefully the fact that it has some big companies backing it means that it's not going anywhere soon (and that it can withstand any potential DDoS attack launched against it easily). The traffic is quite low at the moment (compared to some bigger forums), but probably it will increase. Finally, here is a short video presenting it (it focuses more on the UI side than the functionality):

PS. A revelation that came to me: how to repetitively execute searches on search engines without getting banned? (to find malicious links for example): you can Use their API, but you could also use Yahoo Pipes, which includes a Yahoo Search input module and you can get the results conveniently as an RSS feed, PHP structure or JSON (whichever is easier for you to parse).

Tuesday, March 17, 2009

Secure erase


355133836_f9075e699f_bFun (curious) fact: all recent (newer than 2006)  have ATA commands in them specifically for wiping the data off of them. There are at least two advantages to this method:

  • It wipes all sectors (including sectors marked as bad by the internal tables)
  • It is faster

You can get the program which initiates such a wipe at the CMRR (Center for Magnetic Recording Research) website.

Picture taken from steven m's photostream with permission.

Mixed links


128593238_5f4ffa706b_bInstalling DokuWiki on a SourceForge account – it seems that SF has some more complex security policies (which is good), but it takes a little command-line kung-fu to install DW (because it needs write access to some directories).

Guaranteeing deletion – an interesting thought-experiment on how to guarantee the fact that a hostile system executes your commands. The proposed solution: make it repeat back the things you have written to it and hope that it doesn’t have enough “off-line” storage to keep it separate from the disk. What I see as a problem: the system could still keep a part of the info in RAM, preserving at least part of the disk. Also, the data must be as random as possible, because otherwise much more can be kept in a smaller space using compression.

Optimizing strlen – an interesting article exploring different low-level optimizations. That said, measure first, optimize second. Or more precisely: set goals first, measure second and optimize third.

A collection of Linux performance measurement related posts:

In Oracle everything is a NUMBER – while this is a nice abstraction, I really hope that there is some optimized code for specific use-cases behind the scene (like INTEGERS), otherwise it seems to be a big waste of performance.

A Perl one-liner for testing primeness – it is complicate and less efficient than even my naive implementation, but nonetheless cool.

The end-rant about the Ask toolbar – wondered why some people were so touchy about products (big brand-name products!) bundling the Ask toolbar? Read this.

Something funny from ChuckChat:

From MarkMonitor we can get a nice whitepaper about entities involved in a phish take-down. Nothing particularly new, but it is nice to seem them summarized in one place.

From BlogSecurity, we have a link to 10 tips to make Wordpress hack-proof. While the title is a little overstated (it won’t make your site 100% secure), but it is still worth implementing. Also check out How to Firewall Your WordPress Blog.

Staple and Unstaple – some cryptographic transforms which offering interesting guarantees.

A good webcomic

Plotting SVG from PostgreSQL with PLPython – interesting, regardless of your opinion about which layer this code should reside in.

From the SANS diary I got the link to the Ubuntu Security Notices page. They also have an RSS feed, so that you can subscribe to the notifications.

Infosec can be fun, especially when coupled with karaoke:

Part 2 for top 10 RDP misconceptions – interesting, but the security part is still marketing blah-blah. Crypto is hard to get right, even if it is “full-blown” and “standard based” (just take a look how the Wii public-key crypto got broken).

Independent Attack Discoveries – why it is infeasible to assume that you can keep vulnerabilities secret. Even for highly technical stuff we have multiple independent parties working on it, so any website vulnerabilities are almost certainly known to multiple parties (many of whom are probably malicious!)

Penny Arcade Podcast – it’s not listed elsewhere on their site.

From Roger's Security Blog: how virtualization can hurt you – the virtualized DC synchronized its time with the NTP server, but then it was forced to synchronize with the host, which had the wrong time (BTW, a cool fact: is part of! Very good MS!)

Via the WinDirStat blog: National Language Support (NLS) API Reference on MSDN. A handy little table if you are interested in different values (like codepages, LCID, etc) for a particular language / culture.

Picture taken from donnamarijne's photostream with permission.