Latest Entries »

The oldest domain names on the internet

I recently came across a list of the first hundred domain names that were registered on the internet.  As cool as it was, there was not a lot of information first off and second, I was curious about how many were still relevant to their original purpose.  For sake of your attention span, I’m going to focus on the first ten names that were ever registered:

1. 15-Mar-1985 SYMBOLICS.COM Hmmm, sounds kind of familiar but I don’t even recall why.   When you go there today, it’s a parking page that acknowledges that it was the first registered name and states, “We are seeking to develop this into a useful and beneficial organization for the betterment of humanity.”
2. 24-Apr-1985 BBN.COM Never heard of this one.  Now it’s a redirect to www.cdl.com which is a Singapore-based real estate conglomerate.
3. 24-May-1985 THINK.COM This one now points to www.thinkquest.com which is owned by oracle.  At a glance, it’s a bit unclear what their purpose is.  I have to wonder why point such a valuable domain at something like this and not explain it’s purpose a bit better.
4. 11-Jul-1985 MCC.COM Clearly another wasted historical domain.  This one points to www.stimulusgrantapproval.com
5. 30-Sep-1985 DEC.COM Here is the first one that I legitimately and fondly remember.  DEC was the maker of the Alpha family of processors and MANY other innovations before them.  In their final days, the DEC Alphas were affordable desktop supercomputers.  Affordable should have an asterisk because even the clones I was building in 1997 were roughly $10k but that’s another story.  Unfortunately for the computing world, DEC sold out to Compaq in the late nineties only to be later dissolved by HP which is where the domain now points.
6. 07-Nov-1985 NORTHROP.COM This is just a redirect for Northrop-Grumman, a sloppy and nasty redirect at that.  Click the link to see what I mean.
7. 09-Jan-1986 XEROX.COM Aha!  Here’s the first domain name on the entire list that is A) still relevant B) doesn’t redirect to another URL. 
8. 17-Jan-1986 SRI.COM “SRI International is an independent, nonprofit research institute conducting client-sponsored research and development for government agencies, commercial businesses, foundations, and other organizations. SRI also brings its innovations to the marketplace by licensing its intellectual property and creating new ventures.” At least they appear to be the original domain owner.  Oddly, there is ANOTHER SRI which is also a research organization who owns the .org.
9. 03-Mar-1986 HP.COM Love ’em or hate ’em, HP has been around and on the internet for a long time.  This is the second out of all ten domains that still actually points to the same place it always has and is still the same company with the same purpose as in 1986.
10. 05-Mar-1986 BELLCORE.COM Bellcore redirects to www.telcordia.com/.

So out of 10 domains, 3 of them still point to the sites they were originally registered to.  Seems like a bit of a waste to me.

Find my iPhone

I was listening to a comedy podcast and one of the guys told this awesome story about how he got his iPad back from someone who stole it at a super market.  One of the OTHER guys on the show had just lost his iPhone a couple of weeks before that and lamented about how he wished he had set up a program to track it’s location.  Luckily, after that event, everyone else on the show enabled Apple’s free app “Find my iPhone”.  Find my iPhone works on any newer iDevices such as ipads, 4th gen iPod Touches and 3g+ iPhones.

Enabling it is simple.  You go and download the free app from the app store.  Then you enable a mobile me account which seems partially deprecated but is still used for this service.  To enable it, you go into settings -> mail, contacts -> add account -> mobile me.  You then sign in with you Apple ID.  At that point, you may or may not be required to confirm your email address.  After all that, you slide a switch to enable find my iphone.

When all that is done, you can sign into the app and track the device you are on, which is pretty useless or you can track any other devices that you have access to track.  If you only have one device, you can sign into the Find my iPhone web app here:

http://www.apple.com/mobileme/features/find-my-iphone.html

So for all of the collective bitching about how iPhones track your location, this seems like a pretty fair trade to me overall.  This does bring up points though of subpoenas and forensics where it’s conceivable that you could be arrested for something, the police can confiscate and search your iPhone without a warrant and then potentially see that you have this app installed and contact Apple to retrieve records beyond what the phone itself stores.  If your story doesn’t match what the records say, you could be in deep shit really quick.  This reminds me of an EXCELLENT video I saw on YouTube the other day about how you should never talk to the police under any circumstances since you can nearly never help your case.  It was a presentation give by a lawyer and a police officer:

http://www.youtube.com/watch?v=6wXkI4t7nuc

Every used router tells a story

I’ve been buying WRT54G variants at thrift stores for probably a year now.  It’s a little obsessive actually.  I would say I’ve purchased about 15-20 of them now.  My wife asks why I do it and I’m not sure I have a great answer.  Some of them I’ve used to set up my own network, others I’ve swapped out with friends and family to get them onto better, more stable hardware and still others I’ve bricked and experimented with.

Today I was at Goodwill up in Mount Vernon, WA.  Somewhat of a podunk, low-tech place.  I wasn’t particularly expecting to find a router but I did.  It was a shiny WRT54G v2.2 for $5.99.  I couldn’t pass it up at that price but honestly I will pay up to $12.99 for them so this was a score.

Anyways, I was remembering the Samy location tool story we ran on ISD Podcast a couple weeks back.  I decided to check out the MAC address for this router and see where it came from.  First I tried the address on the bottom of the router not really expecting it to work.  Unsurprising enough, it didn’t work.  Then I remembered something that one of the other guys on ISD said… all the MAC addresses on the router are within a few digits so I incremented the last byte of the address a couple times and low and behold, I was presented with an EXACT location in Edmonds, WA.  It was so precise in fact that it even gave me a street address.  For reference Edmonds is 50 miles from Mount Vernon and there are at least 15 thrift stores closer to Edmonds than this one so I’m not sure why it ended up way out there.

This was a little bit startling.  I’m not even entirely sure what the implications are but this does seem like a security risk to me.  With the address, I am able to obtain the home owner’s name although but with no guarantee that the router lived in that house.  Furthermore, I’m able to see what the name of the WiFi was.  In this case, it was “Jayne1”.  Popping in the street address, I found this was a small condo building.  If I wanted to dig further, I’m sure I could find which unit “Jayne” lives in.  She did change the default password so I could see anything further without a bit more effort than I’m willing to put out at the moment.

If nothing else, the creepy factor here is pretty high.  Lesson here should be to reset your router config at minimum before sending your old router out to pasture.

Android Privacy Inspector

We’ve all been hearing about companies and developers not respecting your privacy and siphoning off details about you to their databases.  To be fair, many of these apps are free so they have to make money somehow but they should be a bit more forthcoming about their practices.  Since we know things will only get worse though, here is a proactive solution to help you see exactly what you are sharing.  From the product description:

“Privacy Inspector is the lite version of Privacy Blocker. Privacy Inspector reveals all your apps dirty secrets that steal your personal information. Find out what your apps don’t want you to know in seconds today!

Privacy Inspector is the only app that can fully lookout for apps that steal your private information and may be harmful. It is unlike any other app in that it can actually scan through other apps code to find privacy issues. No other app can do this on Android! This is what sets Privacy Inspector apart from other apps that claim protection.

After scanning for potential violations, Privacy Inspector will give you details about issues within your app(s). Have you ever felt uncomfortable downloading an app that needs a permission it shouldn’t have? Now find out what is inside the app and more.

Get the security you need that other apps like Anti-Virus Pro, Lookout Mobile Security, McAfee WaveSecure can’t find.

Privacy Blocker is the only way to fully protect you and stop apps from gathering your personal information. Privacy Blocker reveals all your apps dirty secrets and then safely fixes them so you can still use your apps with an assurance of full protection. Keep your device safe and your personal information secure today!”

Privacy Inspector is available in the main Android marketplace in two versions.  There is a free version that will scan all your apps and tell you the problems it finds.  That will at least allow you to decide whether the data you are leaking to them is a fair trade for use of the app.  The paid version allows you to fix/mitigate the issues that you find.  I’m not entirely sure how they do this since I haven’t used or purchased that version but I will probably check it out at a later date.

For now, I snagged the free app and scanned through a few apps.  The results were a little surprising to me.  Google Earth came up spotless for instance and the free version of Angry Birds has two issues and is rated “bad”.  The user interface is fairly attractive but I found it to be a little confusing at first.  It didn’t take long to figure it out but it could be a little more straight forward.  My other complaint is that you can only queue up 5 apps at a time to scan and the scanning process can take a few minutes per app.

I hope to see more apps like this and I can only hope that someone will produce something similar for the iOS platform (assuming Apple would allow for it).  The only problem with that is that this is exactly the type of app that nefarious individuals will be providing fake versions of.

Here is the link to Privacy Inspector

Zeus botnet for Dummies

For those not tuned into the infosec world, Zeus is a do-it-yourself kit for bad guys to make computer viruses and other malware with a point and click interface.  Zeus has been defeating your anti virus and malware protection software for several years now and the reason for this is that bad guys can customize the payload with MANY different features and when you get hit with it on your computer, it ALWAYS has a different look and feel to it.  In other words, it can’t be detected based on a certain file name, file size, hash value or even necessarily a behavior because these features are all customizable and somewhat randomizable via a plethora of different options.  I have come across something online that will pull back the curtain and give you some insight as to how complex and well thought out this tool kit is.

Presumably the same person who posted the source code online has also graciously posted the instruction manual for Version 2.1.0.0, March 20, 2011 of the Zeus crimeware kit on pastehtml.  Reading over this instruction manual shows the level of sophistication of the authors of Zeus.  The manual gives many insights on how the piece of malware you create will be able to hide itself from the user and the operating system.  Here is a short (paraphrased) excerpt from the Bot-Protection section:

  1. All objects IE: files, MUTEXes and registry keys will be created with completely random and unique names.
  2. The code that first installs the bot is destroyed after the bot is installed.
  3. Files are not hidden from WinAPI, because anti-virus tools will find the file too easily.
  4. The bot can be updated on the fly without a reboot.
  5. The bot self-monitors it’s own integrity of it’s files, keys and other objects.

After the protection section, the manual spells out the server-side functions of the bot:

  1. Socks 4/4a/5 server with support for UDP and IPv6.
  2. Backconnect for any service (RDP, Socks, FTP, etc.) on the infected machine. I.e. may gain access to a computer that is behind a NAT, or, for example, which has prohibited connections by a firewall. For this feature to work there are used additional applications that run on any Windows-server on the Internet, which has a dedicated IP.
  3. Getting a screenshot of your desktop in real time.

Next, the manual spells out the different ways your custom piece of malware can hook into the wininet.dll or nspr4.dll’s to intercept http/https traffic going through IE or Firefox.  (pro-tip, keep Opera handy):

  1. Modification of the loaded pages content (HTTP-inject).
  2. Transparent pages redirect (HTTP-fake).
  3. Getting out of the page content the right pieces of data (for example the bank account balance).
  4. Temporary blocking HTTP-injects and HTTP-fakes.
  5. Temporary blocking access to a certain URL.
  6. Blocking logging requests for specific URL.
  7. Forcing logging of all GET requests for specific URL.
  8. Creating a snapshot of the screen around the mouse cursor during the click of buttons.
  9. Getting session cookies and blocking user access to specific URL.

The list goes on and on but shows that this is truly a swiss army knife of malware.  Skipping down to the C&C feature description section, there is a lot of focus on client tracking and geolocation along with some logging and notification features.  One particularly interesting section of features spells out the client details that are tracked:

  • Windows version, user language and time zone.
  • Location and computer IP-address (not for local).
  • Internet connection speed (measured by calculating the load time of a predetermined HTTP-resource).
  • The first and last time of communication with the server.
  • Time online.

When you read over the instructions, you realize what an incredible tool this could be for plain old white hat system administration.  The level of detail provided in the instructions is truly impressive and rivals most legitimate pieces of software that we’ve seen as of late.

The other conclusion we can easily draw is that the Zeus crimeware kit is clearly the work of a well-backed team of developers rather than some Russian dude in his basement.

Most of the document is incredibly interesting and I would urge you to take a peak to see what’s behind the curtain.  We discussed this on ISD Podcast on episode 386.  Take a listen for more details.

The ISD Podcast has entered into a contest to help the Electronic Frontier Foundation (EFF) raise some funds this year before Defcon 19.

For those who don’t know, the EFF is a non-profit group of lawyers, policy analysts, activists, and technologists who fight for digital rights and have helped countless hackers and security researchers get out of hot water as well as exposing injustices caused by ignorant legislation and bad judgements.  Please click the following link to donate to a vitally important cause:

http://action.eff.org/site/TR/Contest/Advocacy?px=2617829&pg=personal&fr_id=1060

 

Derbycon memes

Scotch tape webcam security

The other day, a laptop crossed my desk that belongs to a family with three beautiful daughters.  Two of them have done extensive modeling even.  I’ve worked on this computer a few times before.  They carelessly tend to let anyone who walks into their home use this computer unsupervised.  The viruses tend to run rampant because of extensive Facebook use and using Limewire in the past.

Digging into the computer, I noticed that it had an infection of “ms removal tool”.  This is a simple scareware scam.  Running the latest update of Malwarebytes from safe mode blows out this one fairly swiftly.  I figured that was it but I decided to dig a little deeper just in case.  What I found wasn’t a virus but something far more sinister…

Someone somewhere along the line had installed “Webcam Spy Pro” on this laptop.  The intention of this “tool” is to allow someone to be able to remotely view your webcam from anywhere else in the world through a web browser.  This is one of the creepiest things I’ve personally encountered while fixing someone’s laptop.  I’m not sure if the perpetrator ever got the thing working but nevertheless, the intentions were there and the software does exist.

Although I believe the perp in this case was someone with physical access to the computer, it’s completely possibly to remotely exploit a computer to install a tool such as this.  One of the top security testing tools, Metasploit, has this built right into it in fact and doesn’t even need to be installed on the remote computer so you may never know anyone was even in there.

One thing I’m curious about is whether the webcam activity light is hardwired to the webcam’s power source or if it’s software-controlled via the driver.  If it’s the latter, I’m sure I don’t need to go into the implications of being able to turn on someone’s webcam without the indicator light going off.

In any event, you can prevent yourself from this sort of intrusion entirely by putting a piece of scotch tape over your camera.  Some laptops use the camera as an ambient light sensor; the scotch tape won’t impact this but it will obfuscate the picture to the point where an attacker would only see a blur.  Try out an app that will view the camera just to make sure it works the way you want.

As far as sound goes, one trick I’ve used is plugging in an unused 1/8″ to 1/4 ” adapter into the microphone plug.  Most laptops will switch off the internal mic when you do this.

How to extract audio clips from a garageband file

This may seem like an obvious thing to some folks but it might be a mystery to others so I’m writing up a short post.

I have been recently working on sweepers for the ISD Podcast and Rick sent me a garage band file with a few audio clips that I didn’t have in my collection.  I wanted to extract these clips so I could cut them up and rework them with a tool such as Audacity.

From the finder, I simply right-clicked on the garage band file and clicked “show package contents”.  From there, I looked in the “media” folder that showed up and all the audio clips I needed were right there so I copied them out so I could work on them.

InfoSecDropBox rest in peace

click to enlarge

Sometime around 10am PDT on March 29th, 2011 someone in the InfoSec world had a clever idea to create a twitter account that anyone could log into and vent frusterations they had about the InfoSec industry or whatever else they wanted to.  Whoever did it remains unknown but luckily I was able to snag this screenshot from another browser after I realized it had been shut down only 4 hours after it was created.  I estimate that there were roughly 60-80 people who ultimately logged in and vented on this soundboard.  Twitter caught on as it was pretty much starting to go viral.

The bio first read:

“I am Jack’s infosec-induced rage. Password is Infosec, come log in and vent your rage anonymously. (And get yourself +1 followers)”

Then was changed to:

“I am Jack’s infosec-induced rage. Come log in and vent your rage anonymously. The password is guessable. So figure it out.”

Ultimately, this was a brilliant mashup of twitter and 4chan.  My hat goes off to whoever thought of this.

click to enlarge

Update 3/29/2011 1:59pm pst:  Someone just posted a v2 InfoSecDropBox but consequences will never be the same 🙁

Update 3/30:

The Adrians (Irongeek and Sanabria) have dug up a bit more so I will post that here as well:

Missing a few of the funniest hours…

InfoSecDropBox Mar 29, 8:07pm via web
Alright alright.. enough.

InfoSecDropBox Mar 29, 4:23pm via web
hey everyone want to know aloria real name

InfoSecDropBox Mar 29, 4:21pm via web
#2

InfoSecDropBox Mar 29, 4:20pm via TweetDeck
pen testers are typically arrogant assholes, guess who created this, a pen tester

InfoSecDropBox Mar 29, 4:20pm via web
I use IE6 #2

InfoSecDropBox Mar 29, 4:20pm via web
@InfoSecDropBox @0ph3lia @aloria Shes on @th3j35t3r dick too much.

InfoSecDropBox Mar 29, 4:19pm via web
why wont @0ph3lia sleep with me why wont @aloria sleep with me why wont anyone sleep with me

InfoSecDropBox Mar 29, 4:18pm via web
@th3j35t3r = slowloris with a fancy GUI….Long live @real_j35t3r

InfoSecDropBox Mar 29, 4:16pm via web
is @aloria a tranny

InfoSecDropBox Mar 29, 4:15pm via web
@real_j35t3r is with ANONYMOUS!!!!

InfoSecDropBox Mar 29, 4:14pm via TweetDeck
@infosecdropbox says STFU @infosecdropbox

InfoSecDropBox Mar 29, 4:14pm via web
EVERYBODY IS A FAKE HACKER. GO HOME.

InfoSecDropBox Mar 29, 4:13pm via web
@th3j35t3r is a pretend hacker….long live @real_j35t3r!!!

InfoSecDropBox Mar 29, 4:13pm via web
.@real_jester is a fake long live @th3j35t3r. PS fuck Anon.

InfoSecDropBox Mar 29, 4:10pm via web
The password to this account is Infosec. It’s not a secret. I removed it from the profile to prevent bots… cool w/ everyone?

InfoSecDropBox Mar 29, 4:05pm via web
Looking for female roommates for defcon. RT pls, send pic. -Thx-L

InfoSecDropBox Mar 29, 3:58pm via web
BRING BACK TEH LULZ. Hacking was fun once.

InfoSecDropBox Mar 29, 3:58pm via web
Hey @0ph3lia do you realize that technical skills alone do not make a security professional? Stop shitting on QSAs or I will suckerpunch

InfoSecDropBox Mar 29, 3:58pm via web
My name is Gregory D. Evans.

InfoSecDropBox Mar 29, 3:52pm via web
I hacked HBGary.

InfoSecDropBox Mar 29, 3:51pm via web
I QUIT SECURITY

InfoSecDropBox Mar 29, 3:51pm via web
If anything on this gets taken seriously you need to get a life.

Mar 29, 3:01pm via web
How long before some douche resets the password?

InfoSecDropBox Mar 29, 1:09pm via web
PW = “Infosec” come log in and vent your rage anonymously!

Here are some archived html files as captured by Irongeek.

Lastly, here is a PDF file of the reactions to InfoSecDropBox that was captured a bit after it was shut down.

Powered by WordPress. Theme: Motion by 85ideas.