Posts tagged ‘security’

A new vulnerability in Java

Looking at Sun’s take on it and Secunia’s links, there’s a fun little exploit in Java’s calendar objects that can allow a remote user to obtain escalated privileges, allowing them to read, write, and execute any files on your computer that you have access to. The interesting thing about this bug is that it doesn’t depend on memory being set up a certain way, which means it works reliably on a whole bunch of versions of Java, and in Mac, Windows, and *nix environments. You should update to the most recent version of Java to avoid this (see the Resolution section in the link to Sun above). Also, if you don’t use Java applets on the web, you might consider disabling Java in your browser (for Firefox, it’s under Edit > Preferences in the Content tab), so you don’t need to worry about this (programs that you download and run manually are much less likely to have exploits than programs you might automatically start running from visiting the wrong website).

A couple cool hacks

First off, Flash is vulnerable to by far the most awesome hack I’ve ever seen (there’s also a good summary of that paper). The attack has several different steps with integer overflows and failed memory allocations, but the heart of the matter is that the Flash player uses a 2-step process to validate that the code it’s running is probably safe, and this exploit changes the representation of the code in between the two checkers (it marks more of it as a no-op, so the second checker ignores the code with the exploit in it). This attack is awesome enough that it can carry out its task without disrupting the Flash player, so an unwary user will be none the wiser. and since there’s basically only one Flash player out there, every version of Flash is vulnerable. Yes, on Windows and even on Windows Vista despite their added security systems, as well as in principle on Linux and Mac. Yes, in both IE and Firefox (and presumably Safari also). This is yet another reason to install NoScript and FlashBlock on Firefox, so that sites cannot use Flash unless you give them permission. This is also another reason why standards should be open, so we can have more than one implementation of the Flash player, so not everyone will be vulnerable when something like this comes along.

The second hack I recently read about comes from Defcon celebrity Dan Kaminsky, who recently showed a very dangerous exploit that makes use of the way many ISPs these days turn DNS errors into pages of ads. This practice breaks the Same Origin Policy, so that your browser trusts these pages as though they came from the actual domain you typed in. To give an example, suppose I have an account with Bank of America and I go to Ordinarily, I’d get a DNS error. However, with certain ISPs these days, I would instead get a valid webpage saying the site doesn’t exist, but here are some ads instead. However, my browser asked for a website from and got back a website, so it trusts that it came from the bank. Consequently, it trusts the site with any cookies I have from BoA (these cookies are how BoA knows which account I’m logged into). If someone can put an XSS attack on the ISP’s ad injection system, they can grab my cookies and log into the bank as me. Yes, the bank can defend against things like this, but it’s an unusual enough hack that many companies aren’t defending against it. So beware, and if your ISP is doing this (for instance, if returns a valid website), opt out of it! In addition to exposing users to this sort of attack, these ad injection systems often break DNS, which in turn breaks non-HTTP error handling (for instance, I could not VPN into work until I opted out of my ISP’s version of this crap).

News of the Week (or a few days before)

The news of the week comes in two different parts, and I think that they both are distressing.

The high court of Maryland held up a law which has banned all gay marriages there. They didn’t, however, say lawmakers cannot repeal the decree if they want. In other words, neither the ban nor gay marriage is unconstitutional there. This nonetheless comes as a setback for anyone trying to legalize it; I fear that repealing the law will not happen for several more years at this rate.

Also, the EU rejected a plea from their parliament asking to cancel the ban of all liquids on flights coming into or leaving from Europe. They claim that the liquids can still pose a threat in the hands of some mythical terrorists (these people, apparently, somehow are able to blow up a plane with the liquids but cannot, of course, simply carry them on in the smaller containers allowed). The problem as I see it lies in the fact that the only known terororists ever considering using a liquid explosive were foiled without such a ban, and instead they were caught using only police and detective work (note that I thought there were older attempts, but I can’t seem to find them again; I recall that they also had planned to use liquids and they, too, were stopped by police work instead. I think this had been in the ’90’s sometime, but it’s honestly just a gut feeling.). However, the EU’s Commission decided that lifting the ban would still “lower its guard” and instead they require “the full range” of (useless and impotent) measures in place. These rules are so stupid; I wish someone there would just tell them they’re being irrational.

Sony Rootkits, round 2

You may remember in November 2005 when I wrote about [1] the Sony/BMG rootkit scandal. To summarize: they put software on their music CDs that, when run in a computer, automatically installed files you couldn’t detect (this was the rootkit part) that acted a lot like malware, and screwed with your CD-ROM drivers so that if you tried to uninstall it, you could no longer use your CD-ROM drive. The intended purpose was to run DRM software that kept you from copying your CDs, and to hide this software so you couldn’t uninstall it. However, the rootkit could also be exploited by others, so that any malicious software (if installed in the right place) would go completely undetected by any antivirus program you might be running. It was nasty stuff. Sony eventually recalled the CDs and offered to give out software to remove the rootkit if you gave them your name, address, phone number, and a bunch of other information. In the meantime, the FTC ruled that the software was illegal, and Sony paid out millions of dollars in class-action lawsuits.

Why do I bring this up, I hear you ask? Well, it seems that Sony can’t let this idea die: earlier this week it was revealed that Sony is trying a similar thing with their new USB flash drives. Again, this software automatically installs a rootkit on your computer, and again this rootkit can be easily exploited by any other software to hide files on your machine. I suspect this will end similarly, with a recall and a class-action lawsuit, assuming this gets as far in the media as the last rootkit did (I hope the media picks up on this).

I remember back in the day when Sony was a great company, and I really liked them. Things seem to have changed significantly since Howard Stringer became CEO of the company (which happened about 9 months before the first rootkit scandal was born). These days, I’m really dismayed with them. I’m now going to start boycotting Sony products (which shouldn’t be too hard, since I don’t buy much from them anyway).

[1] Only half the links in my old post still work. Sorry about that. Does anyone have any good ideas for how to avoid this problem in the future?

Defcon review

This weekend I went to Defcon 0xF with psifer and inferno0069, and it was a blast.

  • I stopped at Arby’s for lunch on the way there. I wanted two roast beef sandwiches and a small fries, the total of which came to $7.63. I then looked at their menu, and saw they still do the “5 items for $5.95” thing. So I canceled my original order and instead got two roast beef sandwiches with cheese, a medium fries, potato cakes, and a small shake. My new total: a mere $6.44. I ate about half this food, and threw the rest out. This doesn’t seem like a good business model to me, since I’m giving them less money and taking more of their food (half of which was wasted).
  • On the way there, I passed the exit for Zzyzx Road. I also drove past signs for Death Valley, which was kinda cool.
  • In order to raise money to help combat AIDS in Africa, the Hacker Foundation was selling red T-shirts which said

    on the front. I wanted to get one, but they were already sold out of my size. Another shirt was too nerdy even for me: it read “chown -R us ./base” Dorks!

  • I became a member of the EFF! They had a wonderful panel that covered all kinds of things they’re doing. Unfortunately, this weekend a new law was passed that makes warrantless wiretapping legal, which is something the EFF has been fighting since 2005. I’m not sure how this will fit in with a ruling last year that said that warrantless wiretapping is unconstitutional, but this is certainly a dark day for freedom.
  • I watched macdaddyfrosh, mtbg, and magicpacket valiantly lose at Hacker Jeopardy. but I won a T-shirt from Hack A Day.
  • Mike Andrews was there incognito, but I recognized him and talked to him for a bit. He might come to give a talk at my office at some point.
  • I entered the lockpicking contest and picked 15 of the easier locks (so I finished the contest in the middle of the pack with 71 out of ≈300 points). I’m pretty proud of myself, since I had never picked a lock with “real” tools before the con (though I have raked Masterlocks with a safety pin and street sweeper bristle).
  • Bruce Schneier held a Q&A session! That’s right: Bruce “I am a security fucking god” Schneier. [1] It was as amazing as I had hoped. That guy is so cool. I should point out that his blog has an RSS feed on LiveJournal, to which you can subscribe.
  • There were several talks this year discussing the influence the hacker community has on mainstream perception of stuff, which was pretty cool. Besides the annual “internet wars overview,” there was a talk which reviewed the recent cyberwar waged against Estonia by the Russian mob. DarkTangent himself (creater of both Defcon and the Black Hat security conventions) gave his account of the infamous Ciscogate scandal. Jennifer Granick (author of that article) also gave a talk about legal case studies; she is leaving her work at Stanford next month to join the EFF. There was also a talk about the effect that the locksport community has had on improving lock mechanisms.
  • There were so many amazing talks, I’m not going to discuss them all. but here’s a list of some of the cooler topics that were discussed: encrypted VoiP clients, timing attacks for botnets, digital forensics, social engineering and NLP, stopping jerks online, the basics of hardware hacking, and XSS in social networks.
  • Michelle Madigan was found to be an undercover reporter (link includes video of the incident) with a secret camera. She was outed from the conference. I wasn’t there when she was caught, but I did hear about it later that day. Press at Defcon are fine when they wear their press badges, but Michelle was apparently trying to covertly get anyone at the con to admit to a felony on her secret camera so she could do a shock report on the horrible, criminal hackers at the con (I don’t think there were many criminals there, but some reporters seem to have a penchant for fabricating stories/threats to get ratings).
  • I saw an OLPC XO-1 (more information on Wikipedia). It’s smaller than I expected, but the keyboard is child-sized, which makes sense. The screen is very readable (but very small). The touchpad/stylus area is pleasantly large, though.

[1] Yes, he’s so awesome that even his tmesis gets tmesis. [2]
[2] I admit, I’ve been looking for an excuse to use the word “tmesis” for a while now.

Back to my roots

Even though my blog is (edit: formerly) titled “Civil Liberties and World News,” I haven’t posted on either of these subjects in a month and a half. It’s time to return to that theme.

Former Secretary of State Colin Powell has started calling for the closure of Guantanamo. I fear it won’t be closed until we have a new president (and possibly not even then), but it’s nice to see that more people are standing up and saying that everyone should have a right to a trial. Moreover, a recent court decision stated that the US cannot indefinitely hold prisoners without trial. It would be fantastic if this kept up momentum. We’ll see what happens.

Also, the Massachusetts legislature defeated a proposed amendment to ban gay marriage (if the measure had passed, it would have gone to a public vote in 2008). There’s one tricky part left, though: a law almost a century old that states that non-Massachusetts residents can’t get married there unless the marriage would be legal in their home state. This was originally intended to fight interracial marriages. Let’s hope this law gets repealed soon!

In more worrying news, minorninth writes that national labs (including JPL) are putting tighter security clearances on all employees, including janitors and secretaries. They are now required to disclose drug use (edit: apparently this is currently legal, although many people think it shouldn’t be), financial records, their armed services numbers, and other totally inappropriate things. If you actually work on a sensitive project, there’s even more: they want to know about your international vacations and medical history (edit: upon further inspection, this looks like this part might actually be an acceptable thing, too, since these people have been granted special clearance by the government). The worst part about this is that the mainstream media doesn’t seem to be picking up the story at all, which is really too bad. I hope more people find out about this before this becomes the de rigeur.

Protected: Web Security Lessons: Cross-Site Request Forgery

This content is password protected. To view it please enter your password below:

For all you computer security types

I’m sure all the CS people reading this (and maybe even some of the non-CS types!) are familiar with buffer overflow attacks, and know how to both protect against them and exploit them in other people’s code, or at least have a vague idea about how to do it. However, fewer people have heard of format string attacks. Here’s a fairly detailed explanation, but I’ll summarize:

If, in your C or C++ code, you write printf(foo) (where foo is typically a const char*), it will just print foo to the screen. The one exception here is when foo contains the percent sign, in which case it prints corresponding things from the stack. If there are more %’s in the string than there are other things in the stack frame, it will begin printing out previous parts of foo itself. If foo was defined as input from a clever yet malicious user, they can craft strings that do nasty things to your program. Most importantly, they can read from (using %08x) and even write to (using %n) arbitrary locations in memory. Given that, they can pretty much do anything they want on your machine. Nifty!

The simple and obvious way to avoid this attack is to change all instances of printf(foo) in your code to printf("%s", foo) instead. The less obvious but much better solution is to not code in C or C++ ever again, and instead use a modern, high-level language like Python or Java (or if you’re Michael and worry about the speed of your program, use an actual low-level language like Assembly).

A couple other things

First off, quite possibly the first science fiction movie was Le voyage dans la lune, a silent film made in 1902 based off stories by H.G. Wells and Jules Verne (the French narration can be found here). It has some surprisingly good special effects, and is well worth the 14 minutes it takes to watch.

Also, it appears that Microsoft is actually going to require that all kernel-space drivers be certified in Windows Vista, which I think is going to be fantastic. They are permanently moving graphics stuff into user space, so I don’t anticipate many drivers needing certification. I expect that this will make the Windows kernel much more stable and secure, to the point that the BSoD might be a thing of the past in a few years. The Slashdotters are naturally wanking about OSS issues, but I think this is actually a pretty great change. The worrying part is that they could very well put copyright enforcement stuff in there, which no one would be able to change, even for legitimate reasons. Yes, that would be a poor design decision from a stability/security standpoint, but Microsoft hasn’t had the greatest record with that stuff in the past. Here’s hoping that the execution goes as well as the planning!

DEFCON summary

Coming back from DEFCON, I felt like Jack, coming down the beanstalk to announce that “there are giants in the sky! There are big, tall, terrible* giants in the sky!” I was introduced to a whole new world with new ways to look at everything. I had no idea most of that stuff was out there and accessible to me. Everyone seemed more knowledgable about every single topic, but it was exhilerating to see it all.

I met up with Matt, Dan, John, Eric, and two guys I hadn’t met (Chris and Andrew) in Vegas, and we all shared a room intended for 4 people. The first day, everything was delayed by 2 hours because the fire marshall forgot to approve our convention, or something. After that, however, there were talks running continuously from 10am until midnight (yes, you had to miss some talks if you wanted to eat meals). Although most of the stuff was about computer security (hex editors, phishing, the EFF, RFID spoofing, database rootkits, etc) there was a surprising amount of (non-computer) security stuff there too (lock picking, safe cracking, neurolinguistic programming, etc). There was also some (non-security) computer hacking stuff: hard drive repair, steganography, fuzzing, extreme programming, autonomous robotic BB-guns, the list goes on. Late at night, we went to the Hacker Jeopardy sessions. I’m now inclined to say that all game shows would be more interesting if they had strippers.

Here are some more highlights:

  • Dan Kaminsky (who is the hacker version of Judiciary Pag), gave an amazing talk about…um…everything. SSL, security problems with DNS, visual bindiffs, security problems with online banking. He’s incredibly relaxed, yet brilliant. His work is amazing, and he drinks beer throughout the talk. In fact, at the end during the question and answer part, he gave me a beer for suggesting the visual bindiff can be used to find duplications in your code! Usually I don’t like beer, but this one kind of tasted like victory. \/\/00T!
  • I got to talk to and shake hands with Cindy Cohn, director of the EFF. This was pretty special for me, because they’re one of the greatest organizations I can think of.
  • Lots of people were doing crazy hacking in the hotel: pay phones went missing. One of the elevators I rode in had the emergency phone open, and some guy karaoking Sinatra tunes out of it at us. Someone even managed to hack the Hacker Jeopardy display system during the game itself.
  • In theory, I learned how to pick locks (both normal picking and bump picking) at the Lockpicking Villiage. The weird thing was that they had a lockpicking contest, and apparently an 11 year old girl did rather well in it.
  • They have a Spot The Fed contest every year, where you try to find out which other conference-goers work for federal agencies (DoJ, FBI, USPS, Marines, Washington DC meter maids… any federal employee will do). This was pretty fun to see, but one story will always stick out: a woman brought a man up on stage and claimed he was a fed. She said she knew this because the night before, they hooked up, got drunk, had sex, and while he was asleep she went through his stuff and found his badge.
  • There were several games of a unique form of capture the flag going on: on the network was a computer with several security problems purposely put into it. The object of the game was for teams to hack into the box and then keep everyone else out. Not exciting to watch (just a bunch of people busily typing on their laptops), but a fun concept anyway.
  • I saw the wall of sheep, which is a computer with a packet sniffer and data mining system on it. It searched the network for unencrypted usernames and passwords, and then projected them up on the wall. A good reminder of how insecure most websites are.

So, DEFCON wasn’t as good as AAAI was, but I still had a great time and got my money’s worth. I’m not yet sure if I’ll be back next year, but I’m glad I went once. As the EFF panel mentioned, it’s really the only conference where the invited speakers can show up for the earliest talks at 10:00, unshaven, hung over, and still get a warm reception.

*Terrible: extreme in extent or degree; intense