Predictable Random Num Generation In OpenSSL

May 13th, 2008 josh

Debian has an security advisory (DSA 1571-1) that states Luciano Bello has discovered that the random number generator in Debian’s openssl package is predictable. This does not affect other operating systems which aren’t based on Debian. But, other systems could be indirectly affected if weak keys are implemented.

The official advisory states:

"It is strongly recommended that all cryptographic key material which has
been generated by OpenSSL versions starting with 0.9.8c-1 on Debian
systems is recreated from scratch. Furthermore, all DSA keys ever used
on affected Debian systems for signing or authentication purposes should
be considered compromised; the Digital Signature Algorithm relies on a
secret random value used during signature generation."

and most important

"Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key
material for use in X.509 certificates and session keys used in SSL/TLS
connections. Keys generated with GnuPG or GNUTLS are not affected,
though."

I highly recommend you make sure your system is not affected and if so the old stable distribution
(sarge) is not currently affected.

Br0kenhalo.com has figured it out:

Posted in Reversing & Research | No Comments »

80Gbps Of Maxium DPI

May 12th, 2008 josh

Today, Procera Networks announces a new bar in Deep Packet Inspection (DPI) called PacketLogic PL10000, which is capable of throttling 5million P2P users and breaking down packets in real time at streams of 80Gps for 96% accuracy of analysis.

The current stats for PL10000 fully loaded 12U chassis with 8xFP modules:

Bandwidth: 40 Gbps Full Duplex, i.e. 80 Gbps total throughput
Concurrent Flows: 40 million
New Connections per Second (CPS): 1,000,000
Subscribers: 5 million

It also has other features likes DHCP Snooping, Radius Snooping , and Python API integration for DHCP, AAA, LDAP, and AD.

Official website of the PL1000.

Posted in Security Testing | No Comments »

seekdir() FIXME

May 11th, 2008 josh

Marc Balmer fixes a bug that has resided in BSD for almost 25 years dating back to some of the first versions of BSD. Samba crashes when serving files from an MS-DOS filesystem.

"Much to my surprise I not only found this problem in all other BSDs or BSD derived systems like Mac OS X, but also in very old BSD versions. I first checked 4.4BSD Lite 2, and Otto confirmed it is also in 4.2BSD. The bug has been around for roughly 25 years or more."

For full details on the bug please view Marc Balmers post here .

I couldn’t help and post about this because..well 25 years is a long time.I would like to think I am young but nobody tried to work with MS-DOS filesystems? You hear complaints about lack of interop with Linux and MS environments still today. I guess I am just surprised.

Posted in Odd Permutations | No Comments »

The Online Google Hacking DB Simplified

May 9th, 2008 josh

GNUCITIZEN has taken the liberty of utilizing the "Johnny I Hack Stuff " Google Hacking Database in a neat automated front end for pen-testing. You simply plug in the URL of the site under test and use the Query Modifier if needed, and execute your run by using the Action Panel’s Search or Google functions. Try it out!

Posted in Security Testing | No Comments »

Muesum Of Broken Packets

May 7th, 2008 josh

Oddly enough I was searching for some information on a particular core dump when I came across a website called "muesum of broken packets ". How could I resist viewing a website that contains abused, strange, and malformed packets that once lurked the very depths of the edge? The showcase of abnormal packets and payloads appears to be outdate and last modified 2003 but still a site to see.

I enjoy the overview description of the website as well:

"The purpose of this museum is to provide a shelter for strange, unwanted, malformed packets - abandoned and doomed freaks of nature - as we, mere mortals, meet them on the twisted paths of our grand journey called life. Our exhibits - or, if you wish, inhabitants - are often just a shadow of what they used to be before they met a hostile, faulty router. Some of them were born deformed in the depth of a broken IP stack implementation. Others were normal packets, just like all their friends, you or me, but got lost looking for the ultimate meaning of their existence, and arrived in places we should never see them. Every time, we try to find the unique history of their lives, and to make you understand how difficult it is to be a sole messenger in the hostile universe of bits and bytes."

Posted in Odd Permutations | No Comments »

U.S Borders Haz Ur Devices

May 4th, 2008 josh

Security Focus is reporting that you should limit the amount data stored on your devices traveling because of the current increase in "digital searches" at borders. This makes you think how personal is your personal laptop?? I think proper authorities can look over my data stored on my personal devices because I have nothing to hide, but I would hope only in the context of suspicious activity and the right to search does not get abused. On the second page of the article Security Focus mentions the first thing that came to my mind, which was the use of cryptography. Companies and users are starting to travel with laptops that have encrypted hard-drives due to sensitive data being stored and laptop theft. It was reported in 2005 that 600k laptops are stolen or lost every year in the U.S, not including how many of those cases led to identity theft. People need to make things clear on how they stand and or civil rights because the current security implementations we use now to protect ourselves and or data maybe stripped away.

Posted in Life, Life in Security | No Comments »

Update

April 21st, 2008 josh

Ahoy, Matey! I have been running around lately for work, I should have some new posts up soon. I am also trying to get material ready for when I start writing my book in August.

Posted in Life, Life in Security | No Comments »

Running Wireshark on OSX (Native)

April 15th, 2008 josh

Christian Hornung has reengineered a some what stable realese of Wireshark for Leopard or Tiger via Intel and PPC. I am happy about this because I am really not a fan of Macports or Fink. It seems to run fine so far and I notice one issue with filtering.  Go download it at http://www.christian-hornung.de/ .

Posted in Reversing & Research, Security Testing | No Comments »

Hearing Your Enemy (IDS Intelligence)

April 13th, 2008 josh

First before I get started, I don’t proclaim to be completely sane. I have a lot of ideas and do a lot of thinking about things; these things or ideas may be useful or just thoughts. A blog can be like a crazy person on the side of the street holding a sign stating something absurd and your just shaking your head.

When we think about traditional Intrusion Detection and Prevention systems, they alert us by signatures (rules) but also by other parts of Snort such as its internal packet decoder and the preprocessors.

A thought came across my head the other day about being able to hear your attacks instead of having to check your monitoring system ritually. Common IDS’s only alert you and do not go so in depth. What if attacks could be classified by different tones? The IDS understands a certain type of attack on your system and alerts you, but also now produces a certain tone in a certain length. For instance a DDoS or SYN-flood would produce a tone for a certain period of time, because it’s multiple packets.
But again would be two different disguisable tones, due to being two different types of attacks.

If someone was to create this type of technology, assuming it does not exist. I would hope some form of rules where created and everyone across the board used the same tones and length of tone generation, thus Security Engineers and such can memorize and easily become familiar with it, its like picking up a home phone and hearing the tone. Everyone is trained to wait for the tone and then dial, in our case react.

If some was to utilize this they could base the governing rule set of tones from the composition of Special Information Tone (SIT) found in phone systems. Primary parts of focus would be segment durations and encoding. For more information on SIT please go here .

In theory the creation of tones would have to utilize existing IDS technology to understand what type of attack is taking place, this would have to reference the predefined signatures for classification.

As we all know IDS have lost its momentum due to being based around signatures and not stopping the great oh-days, this would be a problem with attacks being associated with tones as well. It’s good to have an IDS then no IDS at all but maybe this idea could help make someone’s job a little easier.

Posted in Odd Permutations | No Comments »

RSA Security Bloggers Meet-Up

April 11th, 2008 josh

I have been really busy lately and just finished the RSA conference. One of the major highlights was the bloggers meet-up put on by Jennifer Leggio and sponsored by Fortinet, Microsoft, and StillSecure.

It was great to meet people blogging on different topics or areas of security, thus everyone has different outlooks or expertise based on or around security, and finally getting to meet them face to face and hearing their thoughts instead of reading it can be interesting as well.

Thank you Jennifer for putting on a great meet-up ; In the mean time I hope to have some more blogging content up soon.

Going to sleep!

Posted in Life, Life in Security | No Comments »