royans

Locks were considered very secure until the first lock pickers got their hands on it. Phone system were secure until the John Draper discovered some use for the toy whistle in Captain Crunch pack. Infact even the creators of internet didn't think of too much security when it was initially designed.  Its the commoditization of technology which sometimes brings about the worst of all security bugs. And I believe the next round of changes are coming very soon. Until very recently radios were built for a purpose and they rarely did more than what it was supposed to do.   Think of them like the early computers which took a whole room and could only do only type of a job per computer. Todays computer can do all kinds of stuff and unlike the older versions, they don't need to be rewired physically to make them do a new job. Everything is done using software. Wikipedia does a good job at defining what this is. A  software-defined radio  system, or  SDR , is a  radio   communication  

Locks were considered very secure until the first lock pickers got their hands on it. Phone system were secure until the John Draper discovered some use for the toy whistle in Captain Crunch pack. Infact even the creators of internet didn't think of too much security when it was initially designed.  Its the commoditization of technology which sometimes brings about the worst of all security bugs. And I believe the next round of changes are coming very soon. Until very recently radios were built for a purpose and they rarely did more than what it was supposed to do.   Think of them like the early computers which took a whole room and could only do only type of a job per computer. Todays computer can do all kinds of stuff and unlike the older versions, they don't need to be rewired physically to make them do a new job. Everything is done using software. Wikipedia does a good job at defining what this is. A  software-defined radio  system, or  SDR , is a  radio   communication  

The truth is that not everyone gets updates to chrome as soon as its released. And as its usually the case a lot of holes get discovered only after its exploited in the field. Google has finally announced a fully sandboxed flash engine which prevents the malicious code running within the flash component to fully exploit the system. It should keep you safe from unexpected security threats until an update arrives. Google says sandboxing is now available for Flash “with this release” of Chrome. The most recent version, Chrome 23, arrived last week, which is when the four-year-old browser received its usual dose of security fixes (14 in total), as well as a new version of Adobe Flash.  Yet the company today wanted to underline today that Chrome’s built-in Flash Player on Mac now uses a new plug-in architecture which runs Flash inside a sandbox that’s as strong as Chrome’s native sandbox, and “much more robust than anything else available.” This is great news for Mac users since Flash is so

The truth is that not everyone gets updates to chrome as soon as its released. And as its usually the case a lot of holes get discovered only after its exploited in the field. Google has finally announced a fully sandboxed flash engine which prevents the malicious code running within the flash component to fully exploit the system. It should keep you safe from unexpected security threats until an update arrives. Google says sandboxing is now available for Flash “with this release” of Chrome. The most recent version, Chrome 23, arrived last week, which is when the four-year-old browser received its usual dose of security fixes (14 in total), as well as a new version of Adobe Flash.  Yet the company today wanted to underline today that Chrome’s built-in Flash Player on Mac now uses a new plug-in architecture which runs Flash inside a sandbox that’s as strong as Chrome’s native sandbox, and “much more robust than anything else available.” This is grea

Kaspersky labs came out with its Q3 report and not surprisingly Oracle and Adobe have some of the worst holes impacting the largest number of users. What I was surprised more about was that Apple made it to that list even though Microsoft didn't explicitly get named. The map below shows the % of users infected. Also found it interesting that iTunes has a lot of holes. Who would have thunk it. IT Threat Evolution: Q3 2012 - Securelist

Kaspersky labs came out with its Q3 report and not surprisingly Oracle and Adobe have some of the worst holes impacting the largest number of users. What I was surprised more about was that Apple made it to that list even though Microsoft didn't explicitly get named. The map below shows the % of users infected. Also found it interesting that iTunes has a lot of holes. Who would have thunk it. IT Threat Evolution: Q3 2012 - Securelist

I had never heard of SDRs until today . But now that I know it, I can understand why some folks are so excited about it. This is almost like a swiss army knife for the radio hackers. The HackRF can shift between different frequencies as easily as a computer switches between applications–It can both read and transmit signals from 100 megaherz to 6 gigaherz, including frequencies as low as the range used by FM radio up to the gigaherz frequencies used by Wifi or experimental wireless protocols for cars communicating in traffic. In between those bookends lies everything from police radio to cellular signals from  AT&T  and Verizon to garage door openers–all signals that HackRF can instantaneously intercept or reproduce. 

I had never heard of SDRs until today . But now that I know it, I can understand why some folks are so excited about it. This is almost like a swiss army knife for the radio hackers. The HackRF can shift between different frequencies as easily as a computer switches between applications–It can both read and transmit signals from 100 megaherz to 6 gigaherz, including frequencies as low as the range used by FM radio up to the gigaherz frequencies used by Wifi or experimental wireless protocols for cars communicating in traffic. In between those bookends lies everything from police radio to cellular signals from  AT&T;  and Verizon to garage door openers–all signals that HackRF can instantaneously intercept or reproduce. 

Using Try-Catch block is a very good way to detect run-time exceptions. But one of my code reviewers recently pointed out that over using them can be dangerous. I was pointed out that I should only catch those exceptions which I understand and should correctly handle them once its caught. Catch-all try-blocks may generate less user facing errors, but could hide the more serious issues. Nothing else describes the danger of this way of ignoring exceptions than this post on android-ssl.org  [ More details in this  paper ]. To evaluate the real threat of such potential vulnerabilities, we have manually mounted MITM attacks against 100 selected apps from that set. This manual audit has revealed widespread and serious vulnerabilities. We have captured credentials for American Express, Diners Club, Paypal, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, IBM Sametime, remote servers, bank accounts and email accounts. We have succesfully manipulated virus signatures downlo

Using Try-Catch block is a very good way to detect run-time exceptions. But one of my code reviewers recently pointed out that over using them can be dangerous. I was pointed out that I should only catch those exceptions which I understand and should correctly handle them once its caught. Catch-all try-blocks may generate less user facing errors, but could hide the more serious issues. Nothing else describes the danger of this way of ignoring exceptions than this post on android-ssl.org  [ More details in this  paper ]. To evaluate the real threat of such potential vulnerabilities, we have manually mounted MITM attacks against 100 selected apps from that set. This manual audit has revealed widespread and serious vulnerabilities. We have captured credentials for American Express, Diners Club, Paypal, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, IBM Sametime, remote servers, bank accounts and email accounts. We have succesfully manipulated virus signatures downlo

One of the first discussions I noticed around TLS/SSL was in a news report last year. At the  Ekoparty security conference  in Buenos Aires later this week, researchers Thai Duong and Juliano Rizzo plan to demonstrate proof-of-concept code called BEAST, which is short for Browser Exploit Against SSL/TLS. The stealthy piece of JavaScript works with a network sniffer to decrypt encrypted cookies a targeted website uses to grant access to restricted user accounts. The exploit works even against sites that use HSTS, or  HTTP Strict Transport Security , which prevents certain pages from loading unless they're protected by SSL. These guys came back again this year with another attack called " CRIME ". A simplified version of how this attack is executed is described here  along with the plan on how chrome is going to address is. The problem that CRIME highlights is that sensitive cookie data and an attacker controlled path is compressed together in the same context. Cookie data

One of the first discussions I noticed around TLS/SSL was in a news report last year. At the  Ekoparty security conference  in Buenos Aires later this week, researchers Thai Duong and Juliano Rizzo plan to demonstrate proof-of-concept code called BEAST, which is short for Browser Exploit Against SSL/TLS. The stealthy piece of JavaScript works with a network sniffer to decrypt encrypted cookies a targeted website uses to grant access to restricted user accounts. The exploit works even against sites that use HSTS, or  HTTP Strict Transport Security , which prevents certain pages from loading unless they're protected by SSL. These guys came back again this year with another attack called " CRIME ". A simplified version of how this attack is executed is described here  along with the plan on how chrome is going to address is. The problem that CRIME highlights is that sensitive cookie data and an attacker controlled path is compressed together in the same context. Cookie data

I knew there were ways to embed an image into an HTML page by adding a 'src' to the 'img' tag which contained the whole base64 encoded image file. What I didn't know is that there are ways to use similar methods to invoke javascript in context of the current page. For example, HTML tags like the following could be used to inject XSS into any page. Most browsers (especially chrome) do protect against this, but it may be possible to get around some of the security measures. <a target=_blank href="data:text/html,<script>alert(opener.document.body.innerHTML)</script>">clickme</a>  <a target=_blank href="data:text/html;base64,  PHNjcmlwdD5hbGVydChvcGVuZXIuZG9jdW1lbnQuYm9keS5pbm5lckhUTUwpPC9zY3JpcHQ+ ">clickme</a>  Read this for little more background.

I knew there were ways to embed an image into an HTML page by adding a 'src' to the 'img' tag which contained the whole base64 encoded image file. What I didn't know is that there are ways to use similar methods to invoke javascript in context of the current page. For example, HTML tags like the following could be used to inject XSS into any page. Most browsers (especially chrome) do protect against this, but it may be possible to get around some of the security measures. ">clickme   PHNjcmlwdD5hbGVydChvcGVuZXIuZG9jdW1lbnQuYm9keS5pbm5lckhUTUwpPC9zY3JpcHQ+ ">clickme   Read this for little more background.

Missing SD card slots in Nexus devices shouldn't be looked at as a disadvantage. Read this to get the full picture. Google still supports removable storage in Android, but it is leading by example and providing phones (and now a tablet) with one big block of storage that users can use for anything they like -- be it media, documents, or apps. There are a couple of side benefits to this approach as well. The first one is a bit geeky -- it allows the device to use ext file systems instead of a mix of ext and FAT. This is faster and safer -- both for the data on the device and the way it's handled, and access to our own personal data. A journalized file system means fewer file errors, and ext preserves file system permissions so random code can't find your pictures or documents folder.

Missing SD card slots in Nexus devices shouldn't be looked at as a disadvantage. Read this to get the full picture. Google still supports removable storage in Android, but it is leading by example and providing phones (and now a tablet) with one big block of storage that users can use for anything they like -- be it media, documents, or apps. There are a couple of side benefits to this approach as well. The first one is a bit geeky -- it allows the device to use ext file systems instead of a mix of ext and FAT. This is faster and safer -- both for the data on the device and the way it's handled, and access to our own personal data. A journalized file system means fewer file errors, and ext preserves file system permissions so random code can't find your pictures or documents folder.

Alert: Highly Sophisticated Large Scale Cyberheist Targets Customer Funds at Major U.S. Banks : An international gang of cyber crooks is plotting a major campaign to steal money from the online accounts of thousands of consumers at 30 or more major US banks, security firm RSA warned.   In an advisory Thursday, RSA said it has information suggesting the gang plans to unleash a little-known Trojan program to infiltrate computers belonging to US banking customers and to use the hijacked machines to initiate fraudulent wire transfers from their accounts.   If successful, the effort could turn out to be one of the largest organized banking-Trojan operations to date, Mor Ahuvia, cybercrime communications specialist with RSA's FraudAction team, said today. The gang is now recruiting about 100 botmasters, each of whom would be responsible for carrying out Trojan attacks against US banking customers in return for a share of the loot, she said.

If you are not blocking chrome updates, you will be automatically patched very soon. No need to wait for the monthly 'patch tuesday'.  Google has fixed  a hole in its Chrome browser  that earned a white hat hacker $60,000 at the recent Pwnium 2 hacking contest.   The company released the fix for the vulnerability on Wednesday, around 10 hours after it was revealed at the Pwnium competition at  'Hack in the Box 2012' contest  in Kuala Lumpur, Malaysia on Tuesday. The hacker — who goes by the name of 'pinkie pie' — found the vulnerability in the browser by combining two separate exploits, and netted a cool $60,000 for his discovery, as well as a free Chromebook.

Alert: Highly Sophisticated Large Scale Cyberheist Targets Customer Funds at Major U.S. Banks : An international gang of cyber crooks is plotting a major campaign to steal money from the online accounts of thousands of consumers at 30 or more major US banks, security firm RSA warned.   In an advisory Thursday, RSA said it has information suggesting the gang plans to unleash a little-known Trojan program to infiltrate computers belonging to US banking customers and to use the hijacked machines to initiate fraudulent wire transfers from their accounts.   If successful, the effort could turn out to be one of the largest organized banking-Trojan operations to date, Mor Ahuvia, cybercrime communications specialist with RSA's FraudAction team, said today. The gang is now recruiting about 100 botmasters, each of whom would be responsible for carrying out Trojan attacks against US banking customers in return for a share of the loot, she said.

If you are not blocking chrome updates, you will be automatically patched very soon. No need to wait for the monthly 'patch tuesday'.  Google has fixed  a hole in its Chrome browser  that earned a white hat hacker $60,000 at the recent Pwnium 2 hacking contest.   The company released the fix for the vulnerability on Wednesday, around 10 hours after it was revealed at the Pwnium competition at  'Hack in the Box 2012' contest  in Kuala Lumpur, Malaysia on Tuesday. The hacker — who goes by the name of 'pinkie pie' — found the vulnerability in the browser by combining two separate exploits, and netted a cool $60,000 for his discovery, as well as a free Chromebook.

Zero Day by Mark Russinovich is a brilliant novel about why we should fear an online attack by a rogue non-state-sponsored terrorist before any other forms of spectacular attacks. I didn't know that Boing 787 was fully fly by wire , and that medication in hospitals were controlled by networked computers. While attacking that type of software would require specialized knowledge on internals of those systems, it may not be as far fetched as most of us assume it to be. The fact that zero day exploits are available for sale is also not a secret anymore. There are organizations out there who are willing to pay big bucks for those who prefer money than fame. Why do you think pwn2own doesn't require exploits to be fully docume nted anymore ? The proliferation of networked computers is good idea, but our inability to patch them on time is a recipe for disaster. I've worked long enough in IT to know that not all patches are applied immediately to all systems as soon as they are

Zero Day by Mark Russinovich is a brilliant novel about why we should fear an online attack by a rogue non-state-sponsored terrorist before any other forms of spectacular attacks. I didn't know that Boing 787 was fully fly by wire , and that medication in hospitals were controlled by networked computers. While attacking that type of software would require specialized knowledge on internals of those systems, it may not be as far fetched as most of us assume it to be. The fact that zero day exploits are available for sale is also not a secret anymore. There are organizations out there who are willing to pay big bucks for those who prefer money than fame. Why do you think pwn2own doesn't require exploits to be fully docume nted anymore ? The proliferation of networked computers is good idea, but our inability to patch them on time is a recipe for disaster. I've worked long enough in IT to know that not all patches are applied immediately to all systems as soon as they are

Apparently, Iran still being on x.25 was a surprise to some. Aren't traditional phone networks older that x.25 ? And isn't that still in service in more parts of the world? The way I waste my days: Iran`s X.25 NUA Directory : Well , long time ago this directory was a big secret for me ,as I`m sure thi s is the first ever published list of NUA, covering Iran`s X.25...

Apparently, Iran still being on x.25 was a surprise to some. Aren't traditional phone networks older that x.25 ? And isn't that still in service in more parts of the world? The way I waste my days: Iran`s X.25 NUA Directory : Well , long time ago this directory was a big secret for me ,as I`m sure thi s is the first ever published list of NUA, covering Iran`s X.25...

Immunity products  claims oracle patched multiple 0day security holes (not just one) in the recent update. While doing some fast analysis (keep in mind we only spent an hour and half on it), we find out that they patched at least 4 vulnerabilities in the Java code base: The two used by the Gondvv worm and two more on difference pieces of code. These 2 vulnerabilities were located in com.sun.beans.finder.ConstructorFinder and com.sun.beans.finder.FieldFinder and the underlying issue was the same "a trusted immedate caller".

Immunity products  claims oracle patched multiple 0day security holes (not just one) in the recent update. While doing some fast analysis (keep in mind we only spent an hour and half on it), we find out that they patched at least 4 vulnerabilities in the Java code base: The two used by the Gondvv worm and two more on difference pieces of code. These 2 vulnerabilities were located in com.sun.beans.finder.ConstructorFinder and com.sun.beans.finder.FieldFinder and the underlying issue was the same "a trusted immedate caller".

So you think you patch everything regularly and watch out for zero days and take preventive actions. You have anti-virus running on all of your 5 desktops and laptops and have convinced your spouse to be careful as well. But did you forget your modem ? All too often network equipment devices are forgotten - once installed and configured, most users or businesses do not worry about applying firmware updates provided by manufacturers. Even the simplest failure can affect thousands of users, who are silently attacked and prompted to inadvertently install malware or steered into phishing domains. As  pointed out  by the researcher Marta Janus, DSL modems are attacked by different kinds of malware, generally Linux-based, or in attacks exploiting CSRF flaws, UPnP and SNMP misconfigurations or even a complex drive-by pharming.   Strikingly, not only is this kind of fairly largely ignored by users, but the security community itself pays little attention. It is quite common to see reminders ab

So you think you patch everything regularly and watch out for zero days and take preventive actions. You have anti-virus running on all of your 5 desktops and laptops and have convinced your spouse to be careful as well. But did you forget your modem ? All too often network equipment devices are forgotten - once installed and configured, most users or businesses do not worry about applying firmware updates provided by manufacturers. Even the simplest failure can affect thousands of users, who are silently attacked and prompted to inadvertently install malware or steered into phishing domains. As  pointed out  by the researcher Marta Janus, DSL modems are attacked by different kinds of malware, generally Linux-based, or in attacks exploiting CSRF flaws, UPnP and SNMP misconfigurations or even a complex drive-by pharming.   Strikingly, not only is this kind of fairly largely ignored by users, but the security community itself pays little attention. It is quite common to see reminders ab

How fast is an security patch converted into an exploit ?  F-secure's  @ TimoHirvonen  did a study and came with this example to document a time-to-exploit timeline.   •  2012-08-14: Security update available for Adode Flash player, patches vulnerability CVE-2012-1535.      ( Security update available for Adobe Flash Player )   •  2012-08-15: Microsoft Office Word documents with embedded Flash exploit for CVE-2012-1535 seen in the wild.      ( CVE-2012-1535: Adobe Flash being exploited in the wild ,  CVE-2012-1535 - 7 samples and info )   •  2012-08-17: Exploit is added to Metasploit Framework — a public, open-source tool for developing and executing exploits.      ( Adobe Flash Player Exploit CVE-2012-1535 Now Available for Metasploit ) Took just one day for it to be converted into an exploit. In other words, it is not enough to release a patch. What matters now is how fast can all the clients can be updated after a patch is released.

In the browser world, Java and Adobe look very similar. Not only are they similar in the kind of stuff they allow embedded applets/flash_Code to do, but also in the way its exploited to get out of the security container which anonymous code should never be able to do. So here are couple of interesting news items you should know more about... Adobe revokes certificates : Some tools found in the wild were found to be signed with Adobe's signature which should have never leaked Adobe's infrastructure. Adobe had no option but to initiate the process to revoke the impacted signatures and are conducting forensics to understand what really happened and what else is exposed. More Java holes reported :   A number of readers alerted ISC of news reports stating that new "full sandbox escape" vulnerabilities had been reported to Oracle. At this point, there are no details available as to the nature of these vulnerabilities, and there is no evidence that any of these vulnerabiliti

Honeymap is  a real-time world map which visualizes attacks captured by honeypots of the  Honeynet Project . Red markers on the map represent attackers, yellow markers are targets (honeypot sensors). Not terribly useful in its current form, but a very interesting way to watch attacks to see if infected systems for a particular type of attack is geo-specific.

How fast is an security patch converted into an exploit ?  F-secure's  @ TimoHirvonen  did a study and came with this example to document a time-to-exploit timeline.   •  2012-08-14: Security update available for Adode Flash player, patches vulnerability CVE-2012-1535.      ( Security update available for Adobe Flash Player )   â€¢  2012-08-15: Microsoft Office Word documents with embedded Flash exploit for CVE-2012-1535 seen in the wild.      ( CVE-2012-1535: Adobe Flash being exploited in the wild ,  CVE-2012-1535 - 7 samples and info )   â€¢  2012-08-17: Exploit is added to Metasploit Framework — a public, open-source tool for developing and executing exploits.      ( Adobe Flash Player Exploit CVE-2012-1535 Now Available for Metasploit ) Took just one day for it to be converted into an exploit. In other words, it is not enough to release a patch. What matters now is how fast can all the clients can be updated after a patch is released.

In the browser world, Java and Adobe look very similar. Not only are they similar in the kind of stuff they allow embedded applets/flash_Code to do, but also in the way its exploited to get out of the security container which anonymous code should never be able to do. So here are couple of interesting news items you should know more about... Adobe revokes certificates : Some tools found in the wild were found to be signed with Adobe's signature which should have never leaked Adobe's infrastructure. Adobe had no option but to initiate the process to revoke the impacted signatures and are conducting forensics to understand what really happened and what else is exposed. More Java holes reported :   A number of readers alerted ISC of news reports stating that new "full sandbox escape" vulnerabilities had been reported to Oracle. At this point, there are no details available as to the nature of these vulnerabilities, and there is no evidence that any of these vulnerabiliti

If you had asked me a few years ago about how should a website owner protect a login page, I'd probably have said that they should make sure credentials are never sent over unencrpted channel. Now thanks to a little more knowledge and a few 'duh' moments I've come to realize that there is one another aspect of login page which goes un-noticed. While most websites today do enforce that credentials are sent over HTTPS, they do not verify that the login page itself is not in the clear. In fact many of them have a "login/password" form in the clean on many unencrypted pages. For those who understand the risk of javascript injection can tell you as a matter of fact that the forms can be modified by a MiTM (man in the middle) device to do lots of interesting things... including, sending your password to an attackers server. Hence getting the password over encrypted channel wouldn't protect much. A key point to note here is that this requires an active attack on

Its been a while since I last played with snort and even longer since I touched tripwire which was at one point the most popular host based intrusion detection tool out there. A lot has changed since then. From a quick glance at the various tools I found below, its clear that just alerting based on signatures isn't enough. This is not surprising since I can see how lot of false positives can lead to a configuration which could produce false negatives. Whats needed is a set of tools which can help investigate false positives quickly using visual notification or automated secondary scripts which could pull data from various sources to put a confidence number on each alert. Security onion  - Security Onion is a Linux distro for IDS (Intrusion Detection) and NSM (Network Security Monitoring). It's based on Xubuntu 10.04 and contains Snort, Suricata, Sguil, Squert, Snorby, Bro, NetworkMiner, Xplico, and many other security tools. The easy-to-use Setup wizard allows you to build an

Honeymap is  a real-time world map which visualizes attacks captured by honeypots of the  Honeynet Project . Red markers on the map represent attackers, yellow markers are targets (honeypot sensors). Not terribly useful in its current form, but a very interesting way to watch attacks to see if infected systems for a particular type of attack is geo-specific.

If you had asked me a few years ago about how should a website owner protect a login page, I'd probably have said that they should make sure credentials are never sent over unencrpted channel. Now thanks to a little more knowledge and a few 'duh' moments I've come to realize that there is one another aspect of login page which goes un-noticed. While most websites today do enforce that credentials are sent over HTTPS, they do not verify that the login page itself is not in the clear. In fact many of them have a "login/password" form in the clean on many unencrypted pages. For those who understand the risk of javascript injection can tell you as a matter of fact that the forms can be modified by a MiTM (man in the middle) device to do lots of interesting things... including, sending your password to an attackers server. Hence getting the password over encrypted channel wouldn't protect much. A key point to note here is that this requires an active attack on

Its been a while since I last played with snort and even longer since I touched tripwire which was at one point the most popular host based intrusion detection tool out there. A lot has changed since then. From a quick glance at the various tools I found below, its clear that just alerting based on signatures isn't enough. This is not surprising since I can see how lot of false positives can lead to a configuration which could produce false negatives. Whats needed is a set of tools which can help investigate false positives quickly using visual notification or automated secondary scripts which could pull data from various sources to put a confidence number on each alert. Security onion  - Security Onion is a Linux distro for IDS (Intrusion Detection) and NSM (Network Security Monitoring). It's based on Xubuntu 10.04 and contains Snort, Suricata, Sguil, Squert, Snorby, Bro, NetworkMiner, Xplico, and many other security tools. The easy-to-use Setup wizard allows you to build an

A lot of people shared this, so shouldn't be a surprise to most of you. But it seems like a good post to start this new blog with. Alice and bob are key figures in most talks about cryptography. Here is a proposal to change it Ram and Sita from the Hindu mythology . Thanks to Jerry for sharing.

A lot of people shared this, so shouldn't be a surprise to most of you. But it seems like a good post to start this new blog with. Alice and bob are key figures in most talks about cryptography. Here is a proposal to change it Ram and Sita from the Hindu mythology . Thanks to Jerry for sharing.