Slashdot Mirror

Enon writes "eEye Digital Security has discovered 14 vulnerabilities in the FLAC file format that affect a huge range of media players on every supported operating system (Windows, Mac OS, Linux, Unix, BSD, Solaris, and even some hardware players are vulnerable). Heise points out a number of vulnerable apps that use the open source libavcodec audio codec library, which in turn relies on the flawed libFLAC library. These vulnerabilities could allow a person of ill will to trojanize FLAC files that could compromise your computer if they are played on a vulnerable media player. eEye worked with US-CERT to notify vulnerable vendors."

brajesh writes "CNET News.com is reporting that a critical vulnerability has been found in some versions of Apple's popular iTunes that could allow attackers to remotely take over a user's computer, according to a warning issued by eEye Digital Security, a security research firm. The latest iTunes flaw affects all operating systems from Windows XP to Mac OS X, according to the advisory. The discovery of this latest flaw comes days after Apple issued its iTunes 6 for Windows security update."

brajesh writes "CNET News.com is reporting that a critical vulnerability has been found in some versions of Apple's popular iTunes that could allow attackers to remotely take over a user's computer, according to a warning issued by eEye Digital Security, a security research firm. The latest iTunes flaw affects all operating systems from Windows XP to Mac OS X, according to the advisory. The discovery of this latest flaw comes days after Apple issued its iTunes 6 for Windows security update."

Zigor writes "CNET is reporting that a new flaw has been discovered in Internet Explorer that could enable a remote attack on systems running Windows XP with Service Pack 2, eEye Digital Security has warned. The discovery of this IE flaw comes just over a month after Microsoft issued a cumulative patch addressing three vulnerabilities for IE. The new IE flaw also adds to another vulnerability, discovered last month, that affects systems using Windows XP SP2."

1sockchuck writes "Exploits are already circulating for at least two (and possibly four) of the Windows security holes addressed in Microsoft's updates on Tuesday. Several working exploits have been released for a new vulnerability in Windows Plug and Play technology, which could be used to spread a worm targeting Windows 2000 machines, according to eEye security, which has released a free scanner to help network admins identify vulnerable computers."

An anonymous reader writes "Several flaws have been uncovered by security firm eEye in Microsoft's Internet Explorer. The flaws allow remote compromise of computers running Windows Operating Systems and affect IE, Outlook and possibly other MS software. With the next MS Windows security bulletin release scheduled for June 14, 2005 news sources are reporting that in comparison with the Mozilla Foundation's prompt fix for the recently reported Mozilla 1.0.3 vulnerabilities MS appear to be leaving a large window for the possible malicious exploitation of these flaws."

Myrrh writes "eEye reports they discovered a heap overflow in QuickTime 6.5, which 'allows a remote attacker to reliably overwrite heap memory with user-controlled data and execute arbitrary code.' Now's a swell time to visit Apple and download the updates for both programs." Also, Apple today released Security Update 2004-05-03, which includes updates for AFP Server, CoreFoundation, and IPSec, and is, like the QuickTime 6.5.1 update, available via Software Update.

An anonymous reader writes "A new Internet worm wriggled across the entire Internet in the span of a few hours Saturday morning to all computers running several recent versions of firewall software from Internet Security Systems, including BlackICE and RealSecure, according to this story at Washingtonpost.com. The flaw that Witty exploited was discovered Wednesday by eEye Digital Security. The worm overwrites data on the first few sectors of the victim's hard drive, making the machine virtually ubootable and potentially destroying much - if not all - of the victim's data." Update: 03/21 02:18 GMT by T : Reader Jeff Horning points out that eEye actually disovered the worm on the 8th of March, and came up with a fix the next day.

An anonymous reader writes "A new Internet worm wriggled across the entire Internet in the span of a few hours Saturday morning to all computers running several recent versions of firewall software from Internet Security Systems, including BlackICE and RealSecure, according to this story at Washingtonpost.com. The flaw that Witty exploited was discovered Wednesday by eEye Digital Security. The worm overwrites data on the first few sectors of the victim's hard drive, making the machine virtually ubootable and potentially destroying much - if not all - of the victim's data." Update: 03/21 02:18 GMT by T : Reader Jeff Horning points out that eEye actually disovered the worm on the 8th of March, and came up with a fix the next day.

archaic0 asks: "I've recently acquired a new client (I do on call tech work for several companies where I live) who have requested a security audit. In the past I've hired several friends (self-proclaimed security consultants) in the industry to run various exploits and tests for me, but due to the time involved and the cost, I'd like to find a short introductory type option to start a new client off with. I recently ran across a program called Retina, by eEye, and I'm quite impressed however it comes with a $1400 price tag per use (or $14,000 a year for a bulk license). Can anyone point me to tools they've used to do a pretty well-rounded security scan that can produce detailed reports? I know there is no substitute for a real security professional spending time confirming your network security, but I'd like to have at least one good tool to start a new client off with before throwing a huge security team at them."

archaic0 asks: "I've recently acquired a new client (I do on call tech work for several companies where I live) who have requested a security audit. In the past I've hired several friends (self-proclaimed security consultants) in the industry to run various exploits and tests for me, but due to the time involved and the cost, I'd like to find a short introductory type option to start a new client off with. I recently ran across a program called Retina, by eEye, and I'm quite impressed however it comes with a $1400 price tag per use (or $14,000 a year for a bulk license). Can anyone point me to tools they've used to do a pretty well-rounded security scan that can produce detailed reports? I know there is no substitute for a real security professional spending time confirming your network security, but I'd like to have at least one good tool to start a new client off with before throwing a huge security team at them."

pmf writes "Yet another critical vulnerability affecting Windows 2000/XP/2003 has been just announced by eEye. It is worthy to note, that it took Microsoft over 6 months to fix it. The bug affects ASN.1 library and is remotely exploitable through authentication subsystems (Kerberos, NTLMv2) and applications that make use of SSL certificates." The AP has an overview.

Juan Carlos writes "Wired Magazine is going to publish the source code to the SQL Slammer worm in its next issue, due Tuesday, along with some kind of play-by-play of the worm's rapid spread. I actually think this is a neat idea for an article. But the fact is, the disassembly of Slammer (aka Sapphire) has been available on the Net since late January -- just hours after the worm started to spread."

You asked nmap creator Fyodor many excellent questions, and his answers (below) are just as excellent. You'll want to set aside significant time to read and digest this interview, because Fyodor didn't just toss off a few words, but put some real time and energy into his answers.

1) Interesting stories involving nmap?
by Neologic

Nmap has obviously become a huge success in the *nix world. I would wager that practically all sysadmins and security folk use nmap. With this sort of use by such creative and lazy people, there must have been some interesting stories involving nmap, perhaps unusual uses of it, or funny anecdotes. Are there any you would like to share?

Fyodor

The coolest use ever was undoubtedly when Trinity used it to try and save the human race :). But the use I find most gratifying are the Chinese students and residents who have written me about how they use Nmap to locate open proxies. These proxies allow for surfing the uncensored Internet, including the news, educational, pornographic, religious, open source software, government, political, search engine, and human rights sites that are blocked by the Great Firewall of China.

Many of the best features in Nmap came from the user community in ideas if not implementation. For example, the protocol scan (-sO) determines what IP protocols (TCP, UDP, GRE, etc.) a host is listening for. I had not thought of this, but the idea and patch came out of the blue one day in an email from Gerhard Rieger. On another day, a guy named Saurik sent a patch called Nmap+V that allows Nmap to do basic service/version fingerprinting against open ports. It has attracted a cult following, and I plan to add similar functionality to Nmap this year. The initial Windows port by eEye arrived similarly. Despite all these great suggestions, certain other user-contributed ideas are not on the agenda.

Then there are a small handful of users who detect problems nobody else would ever notice, like 4 byte/host memory leaks. They send me error messages with notes saying the bug happens "about once per 700,000 IPs". I have no idea what these guys are up to, but some have been sending me this kind of mail for years. They can't be spammers, as they are intelligent and also use more sophisticated scan techniques than you would need to just find SMTP servers.

2) Recent increases in anal-retentiveness...?
by Zeriel

There's been a marked increase in system administrators thinking that anything even remotely resembling a network scan is eeeeevil (case in point, last year I almost got kicked out of college for scanning port 80 on my dorm subnet looking for interesting websites to read)...

What do you think can be done to make scanning IP addresses/ports have less of a negative stigma? This is in the same sort of category as legit vs. illegit uses of anything else (P2P, whatever)--what's the rationale for punishing something that could maybe lead to criminal activity, and how can we make network scanning tools have practical uses again?

Fyodor

That is an excellent question, and one that concerns me as well. But first, I think your final statement is too extreme. I would guess 90% of network scanning is non-controversial. You will rarely be badgered for scanning your own machine or the networks you administer. The controversy comes when scanning other networks. There are a lot of (good and bad) reasons for doing this sort of network exploration. Perhaps you are scanning the other systems in your {dorm, department, cable LAN, conference LAN} to look for publicly shared files (FTP, SMB, WWW, etc.). Or perhaps your just trying to find the IP of a certain printer. Maybe you scanned your favorite web site to see if they are offering any other services, or because you are curious what OS they run. Perhaps you are just trying to test connectivity, or maybe you wanted to do a quick security sanity-check before handing off your credit card details to that ecommerce company. You might be conducting Internet research, or be bored on a rainy afternoon. Or are you conducting reconnaissance in preparation for a breakin attempt?

The remote administrators rarely know your true intentions, and do sometimes get suspicious. The best approach is to get permission first. I've seen a few people with non-administrative roles land in hot water after deciding to "prove" network insecurity by launching an intrusive scan of the entire company or campus. Admins tend to be more cooperative when asked in advance than when woken up at 3AM by an IDS alarm claiming they are under massive attack.

You compared Nmap to P2P tools in having a "negative stigma". In both cases, one effective way to fight the stigma is to limit your own use to "legitimate" purposes. Use BitTorrent to download RedHat ISOs, but not Matrix Reloaded. Use Nmap to secure and monitor your computers, but not to attack other networks. And if you decide to attack other networks anyway, please be courteous and set the evil bit.

Now I'll admit that I don't always obtain explicit permission before scanning other networks. I don't believe (but IANAL) that a simple port/OS scan of a remote system is or should be illegal. Any machine connected to the Internet will be scanned so often that most admins ignore such "white noise" anyhow. But scan other networks often enough, and someone will eventually complain. So my advice would be:

1. Don't do anything controversial from your work or school connections. Even though your intentions may be good, you have too much to lose if someone in power (boss, dean) decides you are a malicious cracker. Do you really want to explain your actions to someone who may not even understand the terms "port scanner" or "packet"? Spend $10 bucks a month for a dialup or shell account. You didn't really violate this rule, as scanning your dorm subnet for just port 80 should not even be remotely controversial!
2. Target your scan as tightly as possible. If you are only looking for web servers, specify -p80 rather than scanning all 65,535 TCP ports on each machine. If you are only trying to find available hosts, do an Nmap ping scan. Don't scan a /16 when a /24 will suffice. The random scan mode now takes an argument specifying the number of hosts, rather than running forever. So consider -iR 1000 rather than -iR 10000 if the former is sufficient. Use the default timing (or even "-T Polite") rather than "-T Insane".
3. Nmap offers many options for stealthy scans, including source-IP spoofing, decoy scanning, and the more recent Idle Scan technique. But remember there is always a trade-off. You will be harder to detect if you launch scans from an open WAP far from your house, with 17 decoys, while doing followup probes through a chain of 9 open proxies. But if anyone (such as Tsutomu Shimomura) does track you down, they will be mighty suspicious of your intentions.

I occasionally consider adding some sort of "notification packet" prior to a scan that would give hosts the chance to respond and opt-out. This would be like the /robots.txt directives currently used to control polite Web robots. Perhaps the format could even include a text string that IDS systems could log, like: nmap -sS -p- -O -m "Direct questions about this scan to ops at x3512" 192.168.0.0/16 nmap -sS -p- -O -m "mY n4m3 iZ Zer0 |<00L and I'll 0wn j0o%#@" targetcompany.com/24 Of course Nmap would have an option to omit the notification or to send it and ignore any negative responses. Some scanners, such as ISS Internet Scanner already send out NetBIOS popup messages to scanned hosts by default, and other scanners use syslog. I won't be adding any features like this to Nmap unless I see substantial demand and the obvious issues are worked out.

3) OS fingerprinting
by neoThoth

What are the latest advances in fingerprinting networked devices that seem most promising to you? I have started reading papers on HTTP fingerprinting and such and wonder how these will figure into the NMAP architecture. What are the most elusive OS's that aren't on the NMAP OS fingerprint database?

Fyodor

There are a number of OS detection techniques I hope to add this year. One is to guess (or calculate) the initial TTL of response packets, since this varies by OS. Some operating systems also "reflect" your own chosen TTL under various circumstances. Then there are some newer TCP options, such as selective ack that I might test for. Explicit Congestion Notification (RFC 2481/3168) also shows promise. I'll probably add all of these at once later this year, after discussions with the Nmap-dev list. If you wish to participate, you can join that list by sending a blank email to nmap-dev-subscribe@insecure.org. There is also a low volume, moderated list for announcements about Nmap, Insecure.org, and related projects. You can join the 15,000 current members by mailing nmap-hackers-subscribe@insecure.org [archives].

While adding new fingerprinting techniques is fun and exciting, improving the signature database often ads more value. The DB now contains more than 850 signatures, from the Acorn RISC OS and Aironet wireless LAN bridge to the ZoomAir wireless gateway and Zyxel Prestige routers. We're talking gaming consoles, phones, PBX systems, PDAs, webcams, networked power switches, you name it! New fingerprints are submitted daily.

Application level fingerprinting (including HTTP) is coming. I usually regret stating dates, but I hope to develop this functionality within the next 3 months.

4) Stepping into a network security career
by Anonymous Coward

I'll be graduating this month with a shiny new BS in Computer Science. I've done plenty of Unix sysadmin work throughout college and even deployed some high-interaction honeynets. I'm very interested in network security and systems programming. Do you have any advice for people in my situation who want to head into a career in network security?

Fyodor

Congratulations on your graduation! Unfortunately (for newcomers), the security field is one that often expects substantial experience and references. This is partly because these jobs require extraordinary trust, and also because of an aversion to mistakes. Everyone makes mistakes, but they can be extraordinarily costly in security and neophytes tend to make more of them. But don't lose hope! Talented security minds are still in very high demand, just be aware that you will have to work even harder to prove yourself.

Here are my suggestions for anyone starting out in network security, whether for fun or profit:

Step 1: Learn everything you can

1. You may wish to start with reading a general overview of security, such as Practical Unix and Internet Security 3rd Edition.
2. Reading alone won't teach you much. Hands-on experience is critical, so I would set up at least a basic test network. At the very minimum you should have a Unix box or two and a Windows machine (because these are very common in the real world). You can use very cheap machines, or even emulate a large network with virtualization software such as VMWare.
3. Next you should learn more about how attacks are performed. Take a look at the excellent and free Open Source Security Testing Methodology Manual (OSSTMM). This document aims to provide a comprehensive framework for security testing. But it mostly lists tasks to perform, without specifying how to do so. You will gain a lot from this manual if you research the tasks you don't know how to complete, and if you actually try performing the tasks on your test network. If this manual is too curt or hard to follow, you could try a more verbose book on vulnerability assessment, such as Hacking Exposed 4th Edition.
4. Now that you understand many of the general security ideas, it is time to get current. This is one area that has actually become easier in the last decade. The thinking used to be that vulnerability information should only be distributed to well-known and trusted administrators and security researchers through private digests such as Zardoz. This was a disaster for many reasons, and the full disclosure movement was born. In the last couple of years things have started to shift toward more limited ("responsible") disclosure and there is also a disturbing pay-money-for-early-disclosure trend. But information is still much more available than it used to be. Most of the news is carried on mailing lists, and I archive the ones I consider the best at Lists.Insecure.Org. You must subscribe to Bugtraq, and I would also highly recommend pen-test, vuln-dev, and security-basics. Read at least the last 6-12 months of archives. Choose other lists that correspond to your interests. SecurityFocus also offers a security-jobs list which is an excellent resource for finding jobs or just understanding what employers desire.

   There are two major reasons for reading Bugtraq. One is that you must react quickly to new vulnerabilities by patching your servers, notifying your clients, etc. You can get this by simply scanning the subject lines or advisory summaries for bugs that directly apply to you. But then you will miss out on another crucial purpose of Bugtraq. Actually understanding a vulnerability helps you defend against it, exploit it, and identify/prevent similar bugs in the future. When you are lucky, the advisory itself will provide full details on the bug. Check out this excellent recent advisory by Core Security Technologies. Note how they describe exactly how the Snort TCP Stream Reassembly vulnerability works in detail and even include a proof-of-concept demonstration. Unfortunately, not all advisories are so forthcoming. For bugs in Open Source software, you can understand the problem by reading the diff. The next step is to actually write and test an exploit. I would recommend writing at least one for each general class of bug (buffer overflow, format string, SQL injection, etc.) or whenever a bug is particularly interesting.

   Be sure to read the latest issues of Phrack and the research papers posted to the mailing lists. Send your comments and questions to the authors and you may start interesting discussions. Read well-regarded books on the security topics that interest you most.

   I can't emphasize enough that you should intersperse hands-on work with all of this reading. Install unpatched RedHat 8 (or whatever) and run Nmap and Nessus against it. Then compromise it remotely, maybe via the latest Samba hole. Start out with a prewritten exploit from Bugtraq, which isn't quite as easy as it sounds. You may have to modify the 'sploit to compile, brute force the proper offset, etc. Then break in again using a different technique, and your own exploit. Install Ethereal and/or tcpdump and ensure you understand the traffic on your network during both your exploitation and normal network activity. Install Snort on an Internet-facing machine and watch the attacks and probes you'll experience. Wander around your neighborhood with Kismet, Netstumbler, or Wellenreiter on your Laptop or PDA to look for open WAPs. Install DSniff and execute an active MITM attack on an SSH or SSL connection between two of your computers. Take a look at my Top 75 Tools List and ensure you understand what each does and when it would be useful. Try out as many as you can.

5. Take a vacation, or at least a weekend camping! You deserve it! The steps above would probably take at least 3-12 months full-time, depending on your motivation level and the depth and breadth of your research.

Step 2: Now apply your newfound knowledge

Now you have learned enough to be dangerous. At this point, you would have little trouble obtaining most certifications, after studying the specifics of each topic. If your main goal is to find a job quickly, perhaps adding these extra feathers to your cap might be worthwhile. But I think your best bet is to prove your knowledge by joining and contributing to the security community. While this does indeed help others, it isn't an entirely selfless act. It improves your skills, leads to important contacts, and demonstrates your knowledge and ability in a constructive way. The latter is important if securing a career is one of your goals. These steps should also be fun! If not, perhaps you should keep looking at other fields. Here are some ideas:

Start participating with insightful comment and answers on the mailing lists. This is very easy and serves as a great learning experience, way to meet people, and garners some name recognition. If a security manager with a stack of 60 resumes recognizes your name, that is a huge win!

When a new worm or a big new vulnerability comes out, everyone wants to know the details. If you stay up all night disassembling the worm/patch and write the first comprehensive analysis, many folks will find that valuable. And you will learn a lot. Let your first priority be quality - if someone beats you to it, just compare your results with theirs to see if you (or they) missed (or misinterpreted) anything. You can also post your own exploits, although that is more of a political hot potato.

Attending security conferences is a great way to learn, party with fellow hackers, and network (in every sense of the word). Much better is to speak at these conferences. This field changes rapidly so there are always new topics and technologies to discuss. You don't have to be a well-known expert with a long history - just learn your topic well and put in the effort for a quality presentation. You could present at Defcon, at one of the more commercial events, or at a smaller regional con like ToorCon, CodeCon, Hivercon, etc. Among other advantages (often free admission/travel/hotel), this is a great way to meet people with similar interests. I spoke at the latest CanSecWest and have submitted a proposal for the next Defcon.

Now that you've seen and understand a wide variety of software vulnerabilities from your Bugtraq research, start finding your own. You can start by downloading any PHP app from Sourceforge. Most of those are hopelessly vulnerable to Cross-Site-Scripting, SQL injection, and/or remote code execution by "remote include" directives. Many (if not most) Windows shareware daemons are also vulnerable to simple buffer overflows and format-string bugs. Notify the authors and then write an advisory. After a few of these "easy targets", try breaking some more widely deployed programs.

Write a security tool! I could list some suggestions, but by this point you will have many of your own ideas as to what is needed. Scratch an itch.

I hope this helps. If you want more suggestions, Ask Slashdot. From that story, I found this post particularly insightful, especially the emphasis on "people skills". I don't claim to have any, but understand the value :).

5) Have you ever been tempted to use your gifts...
by Tim_F

...in a negative manner?

Have you ever hacked into someone else's computer? Have you ever considered it? What would cause you to think of doing this? Would your tools (nmap, etc.) be enough to allow you to do this?

And if you haven't, why is that the case?

Fyodor

I never do script-kiddie style "hack any random vulnerable box on the Internet" cracking. But sometimes I will launch targeted attacks at specific companies. I'll usually start with just a web browser and various search engines to learn everything I can about my target. I need to understand what the company does, who it partners with, and whether it has any corporate siblings, subsidiaries, or parents. Beyond that, posts by individual employees can be a gold mine. Besides providing names and titles for social engineering and brute force password attacks, the IPs in the mail/news routing headers can be very valuable. One of the reasons I run my own mailing list archive is to maintain access to the raw mail folders which contain the routing info and X-no-archive posts that web archives strip out. Another advantage to locating employees is that you can send them trojan executable attachments, which can be a very effective way into the network.

Next I'll gather known IP network information on the companies via DNS, whois, regional registries like ARIN, routing info, Netcraft, etc. Then comes the scanning (I tend to use Nmap), application-probing, vulnerability discovery, and exploitation stages.

Of course, I only do this when the company is paying me to do so. Performing these pen-tests offers several advantages over blackhat activity:

1. You don't go to jail (If you've worded your contract carefully.)
2. Instead of having to keep your übertechniques secret to avoid prosecution, you get to demonstrate them to management.
3. They actually pay you for this! And you are helping to protect them and the privacy of their customers.

Now some people might ask how you gain these skills without practicing on other networks first. Cheap hardware and the evolution of free UNIX operating systems have made this much easier than in the past. See the previous answer for some suggestions. And remember that you can always work together with friends, or participate in hacking contests like Defcon's Capture the Flag.

6) You'll have seen a lot of breakins.
by Hulver

During your time running Honeypots, you'll have seen a lot of compromised systems. Is there any incident that's really stuck in your mind because of the audacity of the attempt, or the stupidity of the person attempting the breakin.

Fyodor

On the humorous front, one attacker was was running a public webcam during his exploits, so we were able to watch him crack into our boxes in real time :). I will resist the urge to link a screenshot. His rough location was determined when we noticed Mrs. Doubtfire playing on his TV and correlated that with public schedule listings. He was working with a Pakistani group, but was actually on the US East Coast.

In the "disturbing audacity" front, this year we found that a group of crackers had broken into an ecommerce site and actually programmed an automated billing-sytem-to-IRC gateway. They could obtain or validate credit card numbers by simply querying the channel bot! Expect a more detailed writeup soon.

7) What makes a honey net enticing?
by cornice

It seems that many of the honey nets that the average hobbyist would run are built to attract a lesser cracker. What I mean is that ports are left open that normally would not be left open. Services are running that normally should not, etc. I think that a really smart fish would see this as nothing but a cheap lure and refuse the bait. Do you think it's possible to fool the really smart fish? Is is possible to bait with something enticing enough without tipping off the big fish? Does publication of your work make this task more difficult?

Fyodor

Excellent question, and I had many of the same concerns upon joining the project. Then I remembered that most of the attacks and real-world compromises are committed by these marginally skilled script kiddies. So there is still a lot of value in understanding their tools, tactics, and motives. Despite this apparent limitation, I have been surprised by some of the sophisticated things we have found. For example, the first known "in the wild" attack using the Solaris dtspcd vulnerability was caught by one of our honeynets and resulted in this CERT advisory. Then one of our Honeynet Alliance members had their Win2K honeypot compromised and joined into a botnet with 18,000 machines! Attackers on such a grand scale won't even know all of the companies they have compromised, much less whether any of the systems are honeynets.

I do believe baiting the "smart fish" might be possible, but I have never done this. Is not legally entrapment, as we aren't any sort of police force, but I am not very comfortable with the idea. If someone attacks my box that is just unobtrusively sitting on the network, I believe the attacker should have no expectation of privacy for his activities on the system. Things become more complex if I try to lure the attacker.

8) IPv6
by caluml

Do you think that with the very large address space of IPv6 that random scanning for a certain port will die off? (I notice nmap doesn't support random IPv6 address scanning - maybe you've already come to the same conclusion?) Simply put, the chances of finding a machine if it's not advertised anywhere will be very much reduced. Will this make people lazy and complacent, trusting on the large numbers involved to protect them?

Fyodor

Finding a machine by by pinging a completely random 128-bit address will probably never be effective. Fortunately, we won't have to! Nmap does not even do that for 32-bit IPv4 addresses - it is smart enough to skip huge blocks of address space that are unallocated or used for private (RFC1918, localhost) addresses. We will also see patterns emerge for IPv6. For example, they may often be allocated sequentially so that finding one leads to many others. I am waiting until adoption rises and we start seeing these patterns emerge before I can implement them appropriately in Nmap. Certain new DNS features may also prove useful for locating IPv6 machines and networks.

9) standalones and small home nets
by zogger

it seems like most of the emphasis is on enterprise networks, but that still leaves millions and millions of home machines and small home networks just stuck. What do you see as some of the trends and solutions for those people? Their data and system integrity is just as important to them as any corporations is, and usually not having the appropriate skill set, is even harder to implement.

Fyodor

I am afraid the focus by security companies on enterprise networks will continue, as that is where the money is. The good news is that securing small home networks is far easier. But that doesn't make it simple, nor mean that many people will bother. I would categorize the risks into 3 categories:

Traditional network server vulnerabilities: Your average home user doesn't need to run any network daemons or have any TCP/UDP ports open to the Internet. Most of the time they only have 1 IP, used either by a standalone PC or a NAT device (e.g. "broadband router") in front of their small network. This is a good configuration, as it limits what attackers can reach directly. But you need to be sure that the IP doesn't have any unnecessary ports open. You can verify this by running 'netstat' on the Windows or UNIX machine using the IP. I would also recommend confirming using a port scanner such as Nmap. Here are example commands:

nmap -p- -sS -T4 -v -O [your IP]
nmap -p- -sU -v [ your IP ]

The TCP and UDP scans could be combined into one execution, but are listed separately since the TCP scan may go much faster. Remote UDP scans are also less reliable against some heavily filtered hosts. You may have to rely on the netstat info or configuration details in this case.

Any open ports found should be evaluated with extreme prejudice. Unless clearly necessary, close Windows file sharing, external NAT device admin ports, and everything else found.

Don't forget the wireless backdoor! Blocking the Internet link from your private machines is insufficient if anyone can hop on your open WLAN and attack your machines. WEP isn't perfect, but the 104-bit (so-called 128-bit) version should at least keep people from accidentally connecting to your network or sniffing your data. Be sure to set a good password and upgrade to recent firmware for your WAP and other network devices.

Subscribe to the security advisory lists for all the operating systems (and devices, if available) you run. Major vendors such as RedHat, Debian, FreeBSD, Mandrake, and Microsoft all offer these. Most even offer automatic updates if you desire that.

Client vulnerabilities: Once you close the services you don't need (ideally all of them), client vulnerabilities must be addressed. Keeping your web browser and mail reader up-to-date is particularly crucial. Also harden them as much as possible. For example, IE is full of holes but at least has a good interface for site-by-site security policies (Tools -> Internet Options -> Security). Go through and neuter the "Internet zone" settings by disabling ActiveX and Java. In the rare case that sites need this, find an alternative site or add them to the trusted zone. If your are really serious about security, neuter "trusted sites" and "local intranet" privileges as well. Many recent IE vulnerabilities trick the browser into using the wrong zones. Consider using a different browser. Also configure your mailer to disregard HTML and JavaScript.

Remember to pay careful attention to security warnings, whether they come from IE, Mozilla, your ssh client, or anything else. Don't just click OK. And don't shoot yourself in the foot when configuring your apps. It is hard to entirely blame the vendor when users tell P2P apps or Windows filesharing to share their whole drive without any password. Failing to change default passwords or enable basic restrictions on X Window or FTP servers is only slightly more forgivable. All of these errors happen frequently! The apps/devices should be secure by default, but you have the ultimate responsibility for protecting your data.

Malware: This is what I consider the biggest problem on desktops: people running applications they can't trust. Email borne viruses, worms and trojans are an obvious example. Be very careful what you click on. Unfortunately, it is very difficult to know what to trust. Mail is trivial to forge, and even the "proper" installers for many P2P applications infest your computer with loads of invasive spyware. Even Intuit TurboTax was caught writing to customers' boot information track.

What can you do? My honest suggestion is to run peer-reviewed open source applications on a free OS such as Linux or FreeBSD. You still have to be careful, but these problems are far less prevalent on UNIX platforms, which also have better tools and procedures to deal with them.

What if dumping Windows is not an option? Run NT/2K/XP instead of Win9X/ME, and try to run everything you can as an unprivileged (non-administrator) user. Be extraordinarily careful about what you install and run, and make frequent backups. You might also want to look into a personal firewall such as Zone Alarm (limited free version.

10) What is your favourite tool?
by Noryungi

I have just read your top 75 security tools list. Thank you for posting all this information, which I am going to study very carefully.

One question though: in all these tools, which one is your personal favourite? (This excludes Nmap, of course).

Fyodor

I have far too many favorites among this great group to choose just one! But here are a few developers and tools that are particularly worthy of mention:

One of the people I most admire in the security field is Solar Designer. He is a guru in networking, security, and low level kernel/assembly/architecture details. He has also created many tools that security professionals use daily. Yet he never exhibits the arrogance, elitism, and egotism that sadly characterizes so many "stars" of the security community.

Among SD's tools is John the Ripper, my longtime favorite local password hash cracker. It has been around forever, but was written with a flexible and powerful interface while keeping extensibility in mind. So it is still as useful in these days of shadowed password files and MD5/Blowfish hashes as it was back in the days of crypt() and unprotected /etc/passwd. Lately SD has been working on the Owl secure GNU/Linux distribution, which can be installed on disk for hardened systems like firewalls, or booted and run from CD as an easy way to run security tools such as John and Nmap.

Another of those "brilliant yet still nice" security developers is Dug Song. Even after the seminal "Insertion, Evasion, and Denial of Service" paper by Ptacek and Newsham, many IDS vendors continued to ignore the problem. When Doug released Fragrouter (now fragroute), which implements some of these attacks, vendors finally took notice! He has also written the excellent libdnet library, but my favorite of his tools is DSniff, a suite of tools for advanced network sniffing and "monkey-in-the-middle" attacks. It even handles ARP poisoning and other techniques for sniffing hosts on a switched LAN.

While I'm on this topic, let me also give "mad props" to the Hping2 packet prober, Kismet wireless stumbler, Ethereal packet decoder, Netcat, recent THC releases, Snort IDS, the Nessus vulnerability scanner, and all the other great Open Source tools out there!

I would also like to thank Slashdot for granting me this interview and to everyone who asked such excellent questions. I only wish I had time to answer more of them. Then again, I have probably rambled on enough. Now it is your turn to ramble in the comments :).

Cheers,
Fyodor

EyesWideOpen writes "Microsoft announced Wednesday that there is a serious software flaw with its IIS web server. The 'vulnerability affects a function in the server software that allows Web administrators to change passwords for an Internet site.' A researcher with eEye Digital Security discovered the flaw in mid-April but it wasn't announced publicly because of an agreement with Microsoft. The Wired article is here and this appears to be the MS bulletin describing the vulnerability in detail." And several people reported this Register story on a way to DOS Mozilla users by trying to display ludicrously large fonts. Microsoft's time to patch a remote hole where the attacker can gain complete access to your computer: two months. Open Source's time to patch a much less serious bug where the attacker can merely crash your computer: three days.

bugninja writes "According to an article at News.com, Adobe wins 2.8M from Macromedia today for using some patented interface stuff in Flash. But this isn't the end, further legal battles could require that Flash be removed from Macromedia's list of "products for sale". We may not all be Flash lovers, but is it right to take a good product away from so many people who really do like it just because another company's product isn't taking over the market like they hoped it would?" Update: 05/03 13:29 GMT by J : Speaking of Flash, yesterday eEye discovered a very serious security hole in the version of Flash distributed with most copies of Windows. Go download the fixed release.

TedCheshireAcad writes: "A story at the Register asserts that MS's 'Trustworthy Computing' campaign has failed once again, with eight new IIS vulnerabilities discovered. The vulnerabilities include such delights as a buffer overflow in the ASP ISAPI filter, improper HTTP header handling, FrontPage Server Extensions problems and more goodies. Both IIS 4 and 5 are vulnerable. Thanks to eEye and @Stake for their advisories here(1) and here(2)."

TedCheshireAcad writes: "A story at the Register asserts that MS's 'Trustworthy Computing' campaign has failed once again, with eight new IIS vulnerabilities discovered. The vulnerabilities include such delights as a buffer overflow in the ASP ISAPI filter, improper HTTP header handling, FrontPage Server Extensions problems and more goodies. Both IIS 4 and 5 are vulnerable. Thanks to eEye and @Stake for their advisories here(1) and here(2)."

At this moment, there's an office somewhere in Waggener Edstrom with its lights on and a fresh pot of coffee. Microsoft's PR firm is racking its brains working on strategy and tactics for their phone calls tomorrow. As of right now, hundreds of thousands of wormy Microsoft machines are throwing packets at the Bush White House (and missing -- see below). Bill Gates really, really doesn't want Sunday papers editorializing about how shoddy and dangerous his security flaws are. Will billg be the hero or the goat? Slashdot, in its fine tradition of laughing in the face of overworked netadmins, is running a contest. Walk a mile in Waggener Edstrom's shoes, predict the Times's headlines, and win yourself a T-shirt.

Waggener's goal is to minimize the PR damage that the worm will cause. This is potentially a very damaging story for them. Not so much because it underscores the dangers of an insecure, monocultural environment monopolizing our vital networks. Not even because of the embarrassing and ironic nature of the worm. More because it involves a hot button political topic -- Bush and, allegedly, China -- which the average reader will be interested in and might even almost understand.

So what's their battle plan?

Well, first Waggener will try to predict the yield. Our guesstimates as of right now, 11:36 PM EDT Thursday evening, are that it's a dud -- whitehouse.gov is still accessible and my IRC server hasn't gone down. This is probably because whitehouse.gov simply sidestepped its IP address (the stupid worm author hardcoded it instead of using DNS): White House dodges Web worm.

But at least 196,000 machines were infected. You'd think something would happen. Maybe a router will crash and Delaware will fall off the map. Who knows?

Second, Waggener will have an overall strategy. This might range from overhyping the potential danger ("turn off your computers! prepare for Armageddon! oh it didn't happen -- we saved you") to distraction with trivia ("we are pleased with the judges' verdict last week. look over there!"). How will the firm modify our reality?

Third, Waggener will use different approaches on different audiences. Reporters from different tech publications will talk to different handlers, and hear different things. Keep in mind which way these publications lean when you predict what their reactions will be.

Here's the contest. OSDN will be giving away four Slashdot T-shirts (or some other ThinkGeek shirt) to the four readers who most accurately predict newspaper headlines about the "Red Code" worm.

The newspapers of record we're using are the Washington Times and the New York Times. The categories are:

Headline on the Washington Times news story, Saturday morning
(label it: "WT News") Headline on the New York Times news story, Saturday morning
(label it: "NYT News") Title of the Washington Times editorial, Sunday morning
(label it: "WT Ed") Title of the New York Times editorial, Sunday morning
(label it: "NYT Ed")

Type up four guesses and submit them in a comment below. If your guess for any of the four is the closest in its category, you win a T-shirt!

For example, if our contest had been to predict headlines about global warming on July 19, and you'd said:

"WT News: Bush Visits Europe, Says Many Words Correctly
NYT News: Bush Promises Called Into Question
WT Ed: Good News on Global Warming
NYT Ed: Clueless on Global Warming"

...then you'd win, because you guessed the NYT editorial title correctly.

So put on your corporate-PR "spinning" caps, get out there and make us proud!

The Small Print:

1. Top headline only, you don't have to predict subheads or whatever.
2. In case of two stories/headlines, we pick the biggest one, our discretion.
3. Up to four guesses to a post, one for each headline (post early, post often, but slow down cowboy!).
4. One T-shirt to a person.
5. Ties go to the f1rst p0st.
6. No posts after the paper's out, of course (print or electronic, whichever's first) - first edition print is the goal.
7. No OSDN/VA Linux employees or relatives eligible.
8. You must either be logged in when you post or include one email address in your comment; email is how we'll contact you for your snail-mail address. Spamarmor it if you like, as long as we can read it.
9. If for some crazy, absurd reason one of the papers doesn't run a story/editorial about this at all, we'll go looking for a "similar" paper's story/editorial and pick its headline. We're thinking L.A. Times, Wall Street Journal, that kind of thing. If the papers actually run stories today (Friday), well, darnit that wasn't much of a contest was it? We'll still look for editorials on Sunday.
10. All judges' judgments are final.

At this moment, there's an office somewhere in Waggener Edstrom with its lights on and a fresh pot of coffee. Microsoft's PR firm is racking its brains working on strategy and tactics for their phone calls tomorrow. As of right now, hundreds of thousands of wormy Microsoft machines are throwing packets at the Bush White House (and missing -- see below). Bill Gates really, really doesn't want Sunday papers editorializing about how shoddy and dangerous his security flaws are. Will billg be the hero or the goat? Slashdot, in its fine tradition of laughing in the face of overworked netadmins, is running a contest. Walk a mile in Waggener Edstrom's shoes, predict the Times's headlines, and win yourself a T-shirt.

Waggener's goal is to minimize the PR damage that the worm will cause. This is potentially a very damaging story for them. Not so much because it underscores the dangers of an insecure, monocultural environment monopolizing our vital networks. Not even because of the embarrassing and ironic nature of the worm. More because it involves a hot button political topic -- Bush and, allegedly, China -- which the average reader will be interested in and might even almost understand.

So what's their battle plan?

Well, first Waggener will try to predict the yield. Our guesstimates as of right now, 11:36 PM EDT Thursday evening, are that it's a dud -- whitehouse.gov is still accessible and my IRC server hasn't gone down. This is probably because whitehouse.gov simply sidestepped its IP address (the stupid worm author hardcoded it instead of using DNS): White House dodges Web worm.

But at least 196,000 machines were infected. You'd think something would happen. Maybe a router will crash and Delaware will fall off the map. Who knows?

Second, Waggener will have an overall strategy. This might range from overhyping the potential danger ("turn off your computers! prepare for Armageddon! oh it didn't happen -- we saved you") to distraction with trivia ("we are pleased with the judges' verdict last week. look over there!"). How will the firm modify our reality?

Third, Waggener will use different approaches on different audiences. Reporters from different tech publications will talk to different handlers, and hear different things. Keep in mind which way these publications lean when you predict what their reactions will be.

Here's the contest. OSDN will be giving away four Slashdot T-shirts (or some other ThinkGeek shirt) to the four readers who most accurately predict newspaper headlines about the "Red Code" worm.

The newspapers of record we're using are the Washington Times and the New York Times. The categories are:

Headline on the Washington Times news story, Saturday morning
(label it: "WT News") Headline on the New York Times news story, Saturday morning
(label it: "NYT News") Title of the Washington Times editorial, Sunday morning
(label it: "WT Ed") Title of the New York Times editorial, Sunday morning
(label it: "NYT Ed")

Type up four guesses and submit them in a comment below. If your guess for any of the four is the closest in its category, you win a T-shirt!

For example, if our contest had been to predict headlines about global warming on July 19, and you'd said:

"WT News: Bush Visits Europe, Says Many Words Correctly
NYT News: Bush Promises Called Into Question
WT Ed: Good News on Global Warming
NYT Ed: Clueless on Global Warming"

...then you'd win, because you guessed the NYT editorial title correctly.

So put on your corporate-PR "spinning" caps, get out there and make us proud!

The Small Print:

1. Top headline only, you don't have to predict subheads or whatever.
2. In case of two stories/headlines, we pick the biggest one, our discretion.
3. Up to four guesses to a post, one for each headline (post early, post often, but slow down cowboy!).
4. One T-shirt to a person.
5. Ties go to the f1rst p0st.
6. No posts after the paper's out, of course (print or electronic, whichever's first) - first edition print is the goal.
7. No OSDN/VA Linux employees or relatives eligible.
8. You must either be logged in when you post or include one email address in your comment; email is how we'll contact you for your snail-mail address. Spamarmor it if you like, as long as we can read it.
9. If for some crazy, absurd reason one of the papers doesn't run a story/editorial about this at all, we'll go looking for a "similar" paper's story/editorial and pick its headline. We're thinking L.A. Times, Wall Street Journal, that kind of thing. If the papers actually run stories today (Friday), well, darnit that wasn't much of a contest was it? We'll still look for editorials on Sunday.
10. All judges' judgments are final.

eEye Digital Security was doing some testing that apparently Microsoft hadn't done on its own webserver (IIS 5.0) running on its latest OS (Windows 2000, all versions). "Within a matter of minutes," they say, "a debugger kicked in on inetinfo.exe because of a 'buffer overflow error'" -- and two weeks later, we got simultaneous announcements from Microsoft and eEye. This is a remote SYSTEM-level exploit in a popular webserver, in the wild, i.e., Danger Will Robinson. eEye says about a million servers will need to be patched; it may be more. Go see Microsoft's writeup and patch. See also eEye's droll and informative writeup, which, now that an exploit is confirmed to be in the wild today, has added some source code.

eEye Digital Security was doing some testing that apparently Microsoft hadn't done on its own webserver (IIS 5.0) running on its latest OS (Windows 2000, all versions). "Within a matter of minutes," they say, "a debugger kicked in on inetinfo.exe because of a 'buffer overflow error'" -- and two weeks later, we got simultaneous announcements from Microsoft and eEye. This is a remote SYSTEM-level exploit in a popular webserver, in the wild, i.e., Danger Will Robinson. eEye says about a million servers will need to be patched; it may be more. Go see Microsoft's writeup and patch. See also eEye's droll and informative writeup, which, now that an exploit is confirmed to be in the wild today, has added some source code.

In 1999, DoubleClick bought the Abacus database, which got them a ton of data about our personal buying habits. They've promised not to correlate it with their banner-ad database, but that's not the concern this week. This week, the concern is their network security. Last week Thursday, the French site Kitetoa discovered three separate security issues on DoubleClick's network; the company deleted the evidence of one immediately, but left the servers up until Monday, when they mostly closed the other two. There are numerous other issues but the question on everyone's mind should be, how long and how far has DoubleClick been penetrated? And how long can we expect it to continue?

As I write, I'm aware of two security holes in their network, which is an improvement over last night, when the number was three. Unfortunately, this does not mean they are now 33% more secure. I don't have the background to be sure exactly how significant the remaining problems are, but I'll share what I know.

Unfortunately, DoubleClick's Chief Privacy Officer was not available by press time to respond to questions. We have offered the company a chance to respond, and we hope they'll take that opportunity to clear up some questions. Meanwhile, here's their official statement on the matter as of today:

"Over the last week there have been unsuccessful attempts made to hack into DoubleClick's servers. Those situations were immediately corrected," said Jules Polonetsky, Chief Privacy Officer, DoubleClick. "DoubleClick is now undergoing a comprehensive security audit, including the expertise of external security professionals and engineers, to fully ensure the continued integrity of our servers."

Now here's the history of DoubleClick security since last week, as far as I can tell.

Kitetoa ("KITE-a-toe-a") is a group of white-hat hackers who publish together under that pseudonym. They broke the news on their website simultaneously with transfert.net, and spoke with someone at DoubleClick to make sure the company knew to patch the holes. (I left several messages to this same contact, but he did not return my calls.) They continue to update their site with more DoubleClick security news.

The first IIS vulnerability is the commonly-known unicode bug, which lets you read and write files with the same permissions as the webserver, typically "IUSR."

Using this vulnerability, Kitetoa discovered the second security issue, which is that someone else had compromised the DoubleClick corporate webserver at some time in the past. The file eeyehack.exe was left on www.doubleclick.net. This is a backdoor written by the white-hat hackers at eEye, which opens port 6969 for attackers to telnet in.

DoubleClick assures us that eeyehack.exe could never have been executed, because that directory had script access disabled.

But I spoke with Marc Maiffret, Chief Hacking Officer of eEye (the people who brought you this port of nmap to Windows NT, by the way). He points out that the same backdoor could have been copied elsewhere, too, possibly into directories that allowed execution. I've asked DoubleClick whether they checked this; no answer at press time.

It's a separate question whether a cracker could have gotten SYSTEM level access through some other hole. With just IUSR level access, probably not much could have been done. There's no evidence that higher-level access was obtained ... but absence of evidence is not evidence of absence.

What concerns many people is that the eeyehack.exe file that was visible had a modification date of 1999. We know this date is not accurate, because the exploit that writes that file did not exist until last November. But that odd date does raise questions about how long DoubleClick's network has had these vulnerabilities.

The nightmare hypothetical is that a cracker has had access to DoubleClick's networks for the last couple of months or years, and has been reading the data they have been collecting about banner ad clicks. Or, worse, has had access to the Abacus database. Let me emphasize that I know of zero evidence that this has actually happened. But the potential for enormous privacy violations, with this company more than almost any other, is very serious.

DoubleClick assures me there is a good reason for the 1999 date on the backdoor program, but my question about it goes unanswered at press time.

The third hole is almost exactly one year old, and it allows ASP source code to be read. This alarms people because the server named AbacusOnline.DoubleClick.net was shown to be vulnerable. I verified this myself and learned the SQL passwords that go with two usernames, "gcolon" and "aowebuser."

Asked to estimate whether a determined cracker could have made use of those SQL passwords, Kitetoa guessed it was "85% certain" - for whatever that's worth.

Not that SQL should have been stored in the ASP code anyway. Marc Maiffret comments, "One of the better ways to secure SQL login information, within an ASP file, would be to store all of the login information and functionality within a COM object. This is not a silver bullet solution but it does provide you with much better security than storing things in plain text in a .asp file."

Was that database accessible from outside DoubleClick's network? Not that I could tell, but I didn't try very hard. What data was in that database? Considering the wealth of data that Abacus has collected on our purchasing habits, we might justifiably be concerned about a machine named "AbacusDirect."

Again, DoubleClick denies that this is a problem, saying it was a programmer's machine which "was not connected to consumer or production data in any way." We have to trust them on that.

That's what was known as of Monday, and you may have seen that in the MSNBC story, InternetNews story, or the ZDNet story.

But the problems continue. Kitetoa has continued scanning DoubleClick's networks, and continues to turn up vulnerable servers. A half-dozen servers of unknown significance are still Unicode-able. And - let me check - yes, I can still read ASP source code on travel.doubleclick.net.

As well as www.doubleclick.net. The company said Monday that the holes had been fixed on that, their main corporate website. But as of five minutes ago, I was still able to read ASP source code on that server using the year-old exploit. (I did not see any more SQL passwords, for whatever that's worth.)

DoubleClick's Chief Privacy Officer Jules Polonetsky claimed on Monday that "Even a partial breach of a noncritical server is unusual," a claim which looks more dubious every day.

Maybe none of these servers has any valuable data on them. But to a serious cracker, breaking into them could easily have provided the necessary opportunity to reach further into DoubleClick's systems. Being inside the firewall, setting up trojans, sniffing network traffic from other machines - these are all reasons why unauthorized access of any machine must be taken very seriously.

And there's more. A security writer from transfert.net - a sort of French "Wired" - was able to snoop around one of DoubleClick's internal mail systems, webmail.doubleclick.net. It's fixed today, but he sent me a partial list of employees whose mail files were in a directory. (He could not read the mail itself, and DoubleClick denies that mail could have been, at any point, read.)

Here's the big picture. Where long-term security is concerned, process is always more important than the individual problems. We can learn more about DoubleClick's security by observing their response to security reports.

I would have hoped to see servers taken down. As Kitetoa remarked to me, "I think they should have closed all the servers for an hour or two while they fixed the problem." Or, if necessary, longer. Tough decision, but better than possibly exposing data.

I would have hoped that DoubleClick would not announce to the media that everything was fine until they actually knew that this was true. At this point, we have to trust them when they say that attackers could not have seriously compromised their data.

And I would have hoped that they would start tackling problems sooner than they did. Vulnerabilities about which they were informed last Thursday were not fixed until Monday. (The vulnerabilities themselves, of course, are not new, and some of them are a year old.)

And more vulnerabilities continue to crop up. Paranos (based in Paris) found one just by using search engines. The funny thing they found was a database of DoubleClick employees in the U.K. who attended last year's Christmas party.

Less funny is the list of people Paranos found who apparently filled out a form in conjunction with FoodTV, the "Outfit Your Kitchen Sweepstakes."

It took about two hours after I notified their PR contact of the URL before it was removed. It was stored in what appears to be a directory of backup data which was never intended to be public: http://www2.doubleclick.net/live2/chefs/ foodtv-bak/form/chefs.txt.

This isn't a vulnerability, but it is indicative of the company's security process. DoubleClick should have policies in place to prohibit posting backup data on public websites; it should enforce those policies; and when it was done anyway, it should have found the leak with by internal audit.

This promotion ran in 1999. Remember, kids, data you give to corporations never goes away, and may pop back up at any time!

I picked one of the phone numbers for my state and gave it a call. Kathy Bankes, the wife of one of the people on the list, answered the phone. She said she was "very leery with the computer," and then proceeded to give me a common-sense understanding of the state of security on the internet.

"They say things are supposed to be secure," she said, "but I don't care how secure anything is - if somebody knows how to get in, they're going to get in if they have the technology."

"Should we worry about it or not?" she asks. I would say yes, especially when the company that owns an enormous customer purchasing database has problem after problem with its security. Maybe I'm naive to think that privacy promises mean anything in the real world, or that crackers can be fended off by a big corporation.

When I'd expressed my surprise at all this to Kitetoa, he'd just chuckled and said, "You'd be surprised what you can find on the internet. It's all like this."

Kathy, too, was pretty sure that there were people who have all this private information anyway. She very sensibly pointed out that credit card and other personal data can be stolen in the real world just as easily as the internet.

And she answered her own question for me: "There's really nothing you can do. I don't feel secure anyways."

In 1999, DoubleClick bought the Abacus database, which got them a ton of data about our personal buying habits. They've promised not to correlate it with their banner-ad database, but that's not the concern this week. This week, the concern is their network security. Last week Thursday, the French site Kitetoa discovered three separate security issues on DoubleClick's network; the company deleted the evidence of one immediately, but left the servers up until Monday, when they mostly closed the other two. There are numerous other issues but the question on everyone's mind should be, how long and how far has DoubleClick been penetrated? And how long can we expect it to continue?

As I write, I'm aware of two security holes in their network, which is an improvement over last night, when the number was three. Unfortunately, this does not mean they are now 33% more secure. I don't have the background to be sure exactly how significant the remaining problems are, but I'll share what I know.

Unfortunately, DoubleClick's Chief Privacy Officer was not available by press time to respond to questions. We have offered the company a chance to respond, and we hope they'll take that opportunity to clear up some questions. Meanwhile, here's their official statement on the matter as of today:

"Over the last week there have been unsuccessful attempts made to hack into DoubleClick's servers. Those situations were immediately corrected," said Jules Polonetsky, Chief Privacy Officer, DoubleClick. "DoubleClick is now undergoing a comprehensive security audit, including the expertise of external security professionals and engineers, to fully ensure the continued integrity of our servers."

Now here's the history of DoubleClick security since last week, as far as I can tell.

Kitetoa ("KITE-a-toe-a") is a group of white-hat hackers who publish together under that pseudonym. They broke the news on their website simultaneously with transfert.net, and spoke with someone at DoubleClick to make sure the company knew to patch the holes. (I left several messages to this same contact, but he did not return my calls.) They continue to update their site with more DoubleClick security news.

The first IIS vulnerability is the commonly-known unicode bug, which lets you read and write files with the same permissions as the webserver, typically "IUSR."

Using this vulnerability, Kitetoa discovered the second security issue, which is that someone else had compromised the DoubleClick corporate webserver at some time in the past. The file eeyehack.exe was left on www.doubleclick.net. This is a backdoor written by the white-hat hackers at eEye, which opens port 6969 for attackers to telnet in.

DoubleClick assures us that eeyehack.exe could never have been executed, because that directory had script access disabled.

But I spoke with Marc Maiffret, Chief Hacking Officer of eEye (the people who brought you this port of nmap to Windows NT, by the way). He points out that the same backdoor could have been copied elsewhere, too, possibly into directories that allowed execution. I've asked DoubleClick whether they checked this; no answer at press time.

It's a separate question whether a cracker could have gotten SYSTEM level access through some other hole. With just IUSR level access, probably not much could have been done. There's no evidence that higher-level access was obtained ... but absence of evidence is not evidence of absence.

What concerns many people is that the eeyehack.exe file that was visible had a modification date of 1999. We know this date is not accurate, because the exploit that writes that file did not exist until last November. But that odd date does raise questions about how long DoubleClick's network has had these vulnerabilities.

The nightmare hypothetical is that a cracker has had access to DoubleClick's networks for the last couple of months or years, and has been reading the data they have been collecting about banner ad clicks. Or, worse, has had access to the Abacus database. Let me emphasize that I know of zero evidence that this has actually happened. But the potential for enormous privacy violations, with this company more than almost any other, is very serious.

DoubleClick assures me there is a good reason for the 1999 date on the backdoor program, but my question about it goes unanswered at press time.

The third hole is almost exactly one year old, and it allows ASP source code to be read. This alarms people because the server named AbacusOnline.DoubleClick.net was shown to be vulnerable. I verified this myself and learned the SQL passwords that go with two usernames, "gcolon" and "aowebuser."

Asked to estimate whether a determined cracker could have made use of those SQL passwords, Kitetoa guessed it was "85% certain" - for whatever that's worth.

Not that SQL should have been stored in the ASP code anyway. Marc Maiffret comments, "One of the better ways to secure SQL login information, within an ASP file, would be to store all of the login information and functionality within a COM object. This is not a silver bullet solution but it does provide you with much better security than storing things in plain text in a .asp file."

Was that database accessible from outside DoubleClick's network? Not that I could tell, but I didn't try very hard. What data was in that database? Considering the wealth of data that Abacus has collected on our purchasing habits, we might justifiably be concerned about a machine named "AbacusDirect."

Again, DoubleClick denies that this is a problem, saying it was a programmer's machine which "was not connected to consumer or production data in any way." We have to trust them on that.

That's what was known as of Monday, and you may have seen that in the MSNBC story, InternetNews story, or the ZDNet story.

But the problems continue. Kitetoa has continued scanning DoubleClick's networks, and continues to turn up vulnerable servers. A half-dozen servers of unknown significance are still Unicode-able. And - let me check - yes, I can still read ASP source code on travel.doubleclick.net.

As well as www.doubleclick.net. The company said Monday that the holes had been fixed on that, their main corporate website. But as of five minutes ago, I was still able to read ASP source code on that server using the year-old exploit. (I did not see any more SQL passwords, for whatever that's worth.)

DoubleClick's Chief Privacy Officer Jules Polonetsky claimed on Monday that "Even a partial breach of a noncritical server is unusual," a claim which looks more dubious every day.

Maybe none of these servers has any valuable data on them. But to a serious cracker, breaking into them could easily have provided the necessary opportunity to reach further into DoubleClick's systems. Being inside the firewall, setting up trojans, sniffing network traffic from other machines - these are all reasons why unauthorized access of any machine must be taken very seriously.

And there's more. A security writer from transfert.net - a sort of French "Wired" - was able to snoop around one of DoubleClick's internal mail systems, webmail.doubleclick.net. It's fixed today, but he sent me a partial list of employees whose mail files were in a directory. (He could not read the mail itself, and DoubleClick denies that mail could have been, at any point, read.)

Here's the big picture. Where long-term security is concerned, process is always more important than the individual problems. We can learn more about DoubleClick's security by observing their response to security reports.

I would have hoped to see servers taken down. As Kitetoa remarked to me, "I think they should have closed all the servers for an hour or two while they fixed the problem." Or, if necessary, longer. Tough decision, but better than possibly exposing data.

I would have hoped that DoubleClick would not announce to the media that everything was fine until they actually knew that this was true. At this point, we have to trust them when they say that attackers could not have seriously compromised their data.

And I would have hoped that they would start tackling problems sooner than they did. Vulnerabilities about which they were informed last Thursday were not fixed until Monday. (The vulnerabilities themselves, of course, are not new, and some of them are a year old.)

And more vulnerabilities continue to crop up. Paranos (based in Paris) found one just by using search engines. The funny thing they found was a database of DoubleClick employees in the U.K. who attended last year's Christmas party.

Less funny is the list of people Paranos found who apparently filled out a form in conjunction with FoodTV, the "Outfit Your Kitchen Sweepstakes."

It took about two hours after I notified their PR contact of the URL before it was removed. It was stored in what appears to be a directory of backup data which was never intended to be public: http://www2.doubleclick.net/live2/chefs/ foodtv-bak/form/chefs.txt.

This isn't a vulnerability, but it is indicative of the company's security process. DoubleClick should have policies in place to prohibit posting backup data on public websites; it should enforce those policies; and when it was done anyway, it should have found the leak with by internal audit.

This promotion ran in 1999. Remember, kids, data you give to corporations never goes away, and may pop back up at any time!

I picked one of the phone numbers for my state and gave it a call. Kathy Bankes, the wife of one of the people on the list, answered the phone. She said she was "very leery with the computer," and then proceeded to give me a common-sense understanding of the state of security on the internet.

"They say things are supposed to be secure," she said, "but I don't care how secure anything is - if somebody knows how to get in, they're going to get in if they have the technology."

"Should we worry about it or not?" she asks. I would say yes, especially when the company that owns an enormous customer purchasing database has problem after problem with its security. Maybe I'm naive to think that privacy promises mean anything in the real world, or that crackers can be fended off by a big corporation.

When I'd expressed my surprise at all this to Kitetoa, he'd just chuckled and said, "You'd be surprised what you can find on the internet. It's all like this."

Kathy, too, was pretty sure that there were people who have all this private information anyway. She very sensibly pointed out that credit card and other personal data can be stolen in the real world just as easily as the internet.

And she answered her own question for me: "There's really nothing you can do. I don't feel secure anyways."

This week's "main" interview guest is L0pht Heavy Industries as a group. (We hope to have answers from Linux International head Jon "maddog" Hall tomorrow). Many insightful questions for the L0pht guys were posted Monday. Today, lots of insightful answers on everything from political controls on the Internet to hardware hacking. (Click below to read.)

1) Which do you consider more dangerous
by Gleef
Which do you consider more dangerous to personal liberties on the Internet, national governments or multinational corporations, and why?

L0pht
While both Governments and multinational corporations are detrimental to personal liberties on the Internet, one must not overlook the greatest danger of them all. The uninformed citizen. In democracies, this is problematic, where governmental policy typically follows public opinion. In the case of the Internet, one will find that most citizens of the world are willing to give up personal liberties in exchange for perceived safety and piece-of-mind. For the safety of the children, is cited commonly.

Many people believe that anonymous access to the Internet is criminal behavior. Government would like you to think privacy is an "anti-social" behavior. You should have nothing to hide, should you? You wouldn't be reading up on the consecration of explosives, looking up security holes in various operating systems, or possibly downloading the latest crypto software, would you? Only terrorists do that.

Governments are lobbied by uninformed citizens, or citizens which are easily manipulated and swayed by various groups across the gambit of our modern civilization. Multinational corporations have their hand in the fray by funding these groups or by participation in Associations which provide counsel to government officials on technical matters. Often recommending legislation which will better the profit taking over the sanctity of "personal liberties."

Multinational corporations are problematic in that they operate in a proprietary world. Often outside parties will scrutinize the technological fabric of a communciations service being provided. Should a flaw be found, and published, the corporation claims that the flaw itself is detrimental to the service being provided and litigation is dispatched on the party disclosing the flaw. This has been the case in the Cellular communications venue. Cloning a cellular telephone was a real thorn in the side of the Cellular Industry. They took their gripes to the US Government. The CTIA and their ilk successfully swayed Washington to pass legislation to combat the cellular fraud. Result: A portion of the radio spectrum was made _forbidden_ to reception. Possession of an eprom programmer, a computer, and a cellular telephone became a crime. Meanwhile, the cellular network REMAINS open to eavsdropping. Money is power, and with power comes influence. However, in the end it was the Government, sucking up to industry, which passed the law.

Law Enforcement and Intelligence gathering communities dwell within the governmental domain. Both are lobbying lawmakers to pass laws to give them greater powers to combat crime in this high tech world. Surveillance is paramount. They will convince the lawmakers that without the keys to all communications, a bomb may be set outside Parliment or Congress or .

The government pursuades the people, the people pursuade the government. Who planted the seed first? Those who understand the technology are too busy working on the next cool widget. Meanwhile the technological world rushes toward a global dictatorship and the populace embraces it under the guise of security.

2) The net: strip mall or unlimted human potential?
by garagekubrick
The halcyon days of the net are gone. With ubiquity - the underground vanishes. Is it well on its way, with people like the CEO of Amazon being worshipped by the mainstream press, to becoming an enormous cyber strip mall, marketing tool, PR exercise in control of perception...

Or is there still an underground? Does it still have a potential to be the one true medium with liberation? Will governments and coroporations end up controlling it? Cause they are winning small, important victories relentlessly...

L0pht
The Internet has changed dramatically over the last year or two and with it the underground has also changed. Back in the good ole days (1995+6) every web site was underground, hell the entire internet was underground.

As the web increasingly encroaches onto the mainstream and large portal and corporate sites take over feeding you only the information they want you to see, the underground will evolve and change and morph to suit its surroundings.

There is definitely still an underground. In some aspects it is a lot larger than it used to be and in others it seems to be much much smaller. I think labeling the underground as 'the one true medium with liberation' is laying it on a little thick. The internet underground has been nothing but the exploration for knowledge, if you are looking to it to save mankind from itself your looking in the wrong place.

Governments are increasingly encroaching on personal liberties and freedoms of the average citizen, this is unfortunate. How much longer before the population as a hole realizes what is going on and says enough? Maybe they will never wake up. Will the governments eventually control the internet? Possibly. It is hard to tell but there will always be those who will resist that control and the underground will continue in one form or another.

While the web, as you put it, may become 'an enormous cyber strip mall' I can't help but think of the trash dumpsters behind that mall and what secrets they may hold.

3) Internet Worm II
by tilly
Several months ago I began predicting that someday someone would find a buffer overflow in the various Windows TCP-IP stacks and use it to write a worm that would bring down the Microsoft part of the Internet and cause so much traffic as to effectively shut down everything else. I further predict that until an event of this magnitude happens, the general public will not really learn the basic lessons about security that the *nix world was forced to learn from the first worm.

What are your thoughts on this prediction? (Timeline, reasonableness, etc.)

L0pht:
I believe your prediction is right on track. However, I don't feel that an Internet Worm II is necessary to teach Microsoft, its customers, or its vendors, about security. There are three ways to implement a security model, the slow way, the fast way, and the right way. The slow way involves making a bunch of little mistakes and fixing them over time as you find them, correcting your policies and implementations. The fast way involves having a major disaster occur, after which the faulty parts of the system are completely torn apart and reimplemented. In practice, the slow way often leads to the fast way.

Which brings us to the right way: To design software with a security policy in mind, and with extra caution, care, and expenditure during the implementation. OpenBSD's model of proactive security measures is a classic example of 'the job done right'. Retroactively applied security measures are a recipe for disaster.

Rant off.

As for when Microsoft is going to learn about these things, they'll first have to learn that 'bigger isn't necessarily better'. They need to stop believing their own FUD before they can actually make change over there. When I read things like the article at http://www.microsoft.com/ntserver/nts/news/msnw/LinuxMyths.asp, particularly the parts about Linux being less 'secure' than Windows NT, I'm appalled at the ridiculous 'facts' that are being used to back up their claims. For example, they claim that:

"Linux only provides access controls for files and directories. In contrast, every object in Windows NT, from files to operating system data structures, has an access control list and its use can be regulated as appropriate."

While this statement is true, they neglect to mention the fact that under a unix operating system, most things that correspond to Windows NT kernel objects, file, data structures, etc, are represented as files. Hence, the coverage of the security model for Linux is just as extensive, even more so, than Windows NT. This is a particularly bad statement, simply because it's not only incorrect, but the converse is true. Linux is more flexible in terms of permission management. Try setting the access controls on who can bind to a particular port under Windows NT, with the ease of chmod and portfs under Linux, and you'll fail miserably. And the list goes on.

(And as for 'access control lists', we've noticed that Windows can't seem to get the right default ACLs anyway, and that the complexity of managing them has outweighted the value of their 'flexibility'.)

As for your comments on the Windows NT TCP/IP stack being vulnerable to attack (possibly, who knows :P) and the possibility of a worm destroying Windows systems, the possibility is very real. And again, this possiblity is not unique to Windows. They're just a likely target at this point in time.

It would take a feat of dedication and great skill, but the possibility is there. My advice to anyone who's worried about this, is this: If you're going to use Windows NT, you should probably keep that firewall in place between those Windows service ports and the rest of the world. Microsoft loves to add services and open ports to your computer when you're not looking. And it's probably not going to be the IP stack, it'll probably be some goofy listening service, like anonymous share enumeration or something. Or maybe remote access to NetDDE. Or some authentication protocol that doesn't like large Netbios fields. Or possibly even some undocumented functionality in the named pipe filesystem used for RPC. Who knows. Personally, I'm not going to wait around to find out.

4)The Public's Perception of Hacking
by dmuth
First, I should probally preface this geek for several years, and love playing with technology, so I feel I am able to relate to the hacking community.

Anyway, my question is, how do you deal with the way the public (including the media) percieves "hackers"? I've seen some clueless people use the term to describe *anyone* who does anything with a computer that they find > objectionable. I've even heard the term applied to spammers!

Needless to say, the misue of the term makes my blood boil, because I feel a certain respect towards the real hackers, such as yourselves, because you guys do know what you're doing, unlike all of the script kiddies out that that either have the term applied by clueless reporters, or they use it on themselves.

So, I'd be interested in knowing how you cope with this sort of problem, as I've noticed this sort of perception of the hacking communtiy for some time.

L0pht:
The first thing you need to do is refer to yourself as a hacker and be prepared to educate the person you are talking to what you mean by that. It doesn't matter if you are talking to someone from the media, or the government, or the business world. People need to know the real meaning of hacking, its history, and what a positive thing it is.

A lot of the time we talk to the media just because we are afraid that if we don't there will be no one they talk to who will describe hacking in a positive light. No one to describe it as other than defacing web pages or breaking into .mil sites. This was one of the reasons we wanted to talk to MTV. We were afraid their story would be all about criminal hackers. If you saw the MTV show you saw that sometimes resistance against the media memes is futile. The show was 95% about illegal activity.

Yet the world of hackers is 95% non-criminal. Probably a better percentage of people behaving positively than most segments of society. It is a world of people exploring the edges of technology and building things. The crazy thing is the government is making more and more of that exploration illegal.

Reverse engineering security mechanisms is being considered a crime. Receiving digital radio signals is a crime. We can't let them wall off part of the world we inhabit from investigation.

Hackers have a positive role to play both as builders and critics of the digital world. Unless we speak up and refer to ourselves in that light we have only ourselves to blame. Everyone who can should educate. Its not easy changing perceptions. But sometimes a passionate personal explanation of what hacking means to you can make someone change their mind.

5)security of capability-based operating systems
by sethg
What do you think of capability-based systems, such as EROS? The folks who are working on these systems say they are fundamentally more secure (against both malicious code and heisenbugs) than Unix derivatives, Windows NT, and other ACL-based operating systems. Do you agree with this assessment? Do these systems have security weaknesses that Unix-like systems don't have?

L0pht:
It's nice to see work such as EROS comming out of DARPA funded projects. Capability-based systems are quite interesting. However, one must be quite careful when making statements such as the one that these systems are more fundamentally secure that others. One has to keep in mind that Windows NT made a similar claim. Was NT fundamentally more secure that Unix as was presented to the general public? Well, it did have a security model that Unix lacked and it's internals were much more akin to VMS which had various strengths that Unix lacked. Yet we all saw that the implementation is where it matters.

In reality the implementation is key. Things can look great on paper and be a real bear to implement (look at communism for example). Another key component that is often overlooked is the functionality. This is a double edged sword. If the system is not universal and generic enough in nature to exist in a plethora of environments then it is difficult, if not impossible, to gain wide scale acceptance and use. Of course, this notion is directly opposed to creating a secure operating system. If it has to work in a multitude of environments then it needs to be relatively open and flexible or else the skill set and support for integrating it into one specific environment is beyond most peoples abilities (ie it won't get used). Sun Microsystems ran in to this problem with older versions of SunOS (now retroactivly named Solaris 1.x) when they used to consistently ship with a '+' in /etc/hosts.equiv. After several years they received enough requests to take it out of the distribution for security reasons. Unfortunately, taking it out caused so many installations to not be "plug-n-play" that they promptly put it back in.

When I look at an operating system such as EROS the following pops out at me when thinking security (this should not be viewed as condemnation by any means).

. RTOS modeled.
Real Time Operating Systems can be very useful for directed applications but suffer in general use often times. In addition, certain security notions at extremely low levels of a system (ie hash signing memory blocks that are passed between processors or ASICS) incur overhead that is quite unwelcomed in most of the "general public's" acceptance in RTOS.

. Emulated POSIX and Unix environments
I love Unix. However, it's difficult for someone to maintain the claim that they are more secure than another operating system and then emulate it's behaviour. A good emulation is going to have the good and bad aspects on the security front or many things won't work.

. implementation from the ground up can be painful
Often times it is required. But heaven help the "vendor" that decides that in order to be their own maker they will do it from scratch without looking at the mistakes that others have made. We see it all too often that people decide to reinvent the wheel and foist square versions on people the first time around.

With all of that being said I believe that in the future, should people start to wake up and really appreciate the notion of security and privacy in a way that really influences the market... we will see more dedicated systems and fewer general purpose ones. In order to go that route projects such as EROS are invaluable.

6)Security Through...Unpredictability?
by Effugas
Would you agree that security and stability are but different sides of the same coin? In other words, a security exploit is truly nothing more than an expertly controlled failure?

If so, how much stock can we put into the "metadesign" of limiting the damage an exploit can create by attacking the ability of a failure to be controlled? Should operating systems incorporate such "unpredictability engines" when being run in a production, non-debugging manner? Or is such a design not worth pursuing, for various reasons?

L0pht:
You must be a kindred spirit :) We have been preaching the approach that most stability problems are security problems that have not been looked into enough for quite some time. By fixing security problems you enhance the stability.

Now, with that said, it is important to shoot for the pinultimate solution to problems and this ends up being a wonderful academic excercise (out of which great things come). Do we shun any notions that merely raise the bar instead of being the silver-bullet? No. Each elevation in design is a step in the right direction. It is apparent that we have many steps in front of us but this does not mean we should stop progressing until a magic cure is found.

Unpredictability in systems, such as loaders or interpreters that recurse random times to throw off "static" frame location and other mechanisms (ie canary values) etc. are some of the finer points that I see coming out of the security approach to implementations. Are they ready for production systems? It all depends upon what your production system must be capable of. In many cases the answer is yes. In some cases the answer is no.

7) Future of Hardware Hacking?
by Tackhead
Two questions (Well, three, really, but I'm a hardware geek, and I love trying to squeeze three things in the space of two):

A) Wireless.
Lots of folks have been asking today about the wireless network project. "Me too"; the page has been up for years, it's a fascinating and extremely powerful idea, but for those of us who aren't RF engineers...

> When do we get to see some hardware projects to build, or is it the case that -- due to regulatory restrictions on what can and cannot be transmitted on US airwaves -- work is being done independently on the notion of a secure wireless IP-based network but isn't being released so that those of us who aren't RF engineers can't gum up the works by screwing things up before it's ready? :-)

L0pht:
The Gnet project has been in progress for many years now. Mainly the problem had been lack of funds, but now time allocation and lack of dedicated participants hold back expansion.

There is a lot of interest, but no one seems to be willing to put up the nodes. There are 2 sites currently on the network. One at l0pht and one at a residence. This has been the state of the network for the past 2 years. Unfortunately no one with enough initiative in either state has been found to setup other nodes. There has been interest in other states but the long haul capability has yet to be worked out. Encrypted tunneling over the Internet may help span the network over long distances. Once the fabric of the network expands, landlines could be replaced with wireless links/nodes.

High-density, low-power networks sound great in theory, but until the interest level rises above its present state, the cellular structure will remain the dominant topology.

To get the network off the ground, we have been trying to go the Amateur radio route. Going this route does have its drawbacks. Encryption is forbidden, however compression is not. I have been running ssh in compression-only mode for years. The initial ssh authentication is allowed under FCC guidelines, as long as the communications is not encrypted, you are within the rules.

The move off the Amateur frequencies will be made once the cost of National Information Infrastructue (NII) part-15 devices drop under $500 dollars for a pair of nodes. These devices fall operate in the 5Ghz frequency range. The breakdown is as follows:

• 200 milliwatts EIRP (5.15-5.25 GHz) - indoor
• 1 watt EIRP (5.25-5.35 GHz) - inter-campus/neighborhood
• 4 watts EIRP (5.725-5.825 GHz) - Point-to-point, few miles, terrain permitting.

Other devices which are useable in the project are ISM band Part-15 devices which operate in the 900Mhz and 2.3Ghz frequency range, and dwell in the Wireless lan arena. Wavelan(Roamabout) http://www.wavelan.com, and rooftop networks (just purchased by Nokia) among others, players in the 900Mhz and 2.3Ghz arena. Older wavelan equipment can be found by searching auction sites and used equipment dealers. Early wavelan 2Mbps/sec ISA/PCMCIA cards can be found for ~$125.00 US Dollars. The problem with these cards is they don't conform to the IEEE 802.11 Wireless Ethernet specification. This is one inherent problem with building the network out of old equipment. It becomes costly to replace eqiupment once the entropy ball starts rolling.

The path to build custom equipment is equally as challenging. For example, the TAPR (Tucson Amateur Packet Radio) group has been in the forefront of Amateur packet radio for the past 15 years. While they have an established base of dedicated users, they continue to have problems developing new hardware. They have been prototyping a Frequency Hopping Spread Spectrum (FHSS) system for 3 years now, with still a protoype just passing a design review. Hopefully this project will come to fruition soon!

Some very talented folks over in Slovenia have developed some BPSK transceivers and a no IF SSB transceiver which will work on 1296, 2304 and 5760MHz. None are in kit form but the schematics, theory, construction notes, and equipment checkout is available in english. (schematics are not in english.). These radios are not for beginners or even intermediate kit builders. It would be nice if someone could kit these units. I started to convert the 23cm BPSK design to utilize a chipset family put out by RF Microdevices, but then my time got sucked into other projects. I may find the time to persue this once again, but I would like to get some semblence of a network greater than 2 nodes up and running first. *sigh*

B) The future of hardware hacking.
With the trend towards more and more functionality becoming embedded into ASICs and single-chip solutions, the golden age of "just desolder this", or "reverse-engineer the schematics and jumper that", or "replace [PROM| EPROM| EEPROM| PIC| FPGA] with one with the following special programming, and here's the [CPU| microcontroller]'s instruction set and a memory map of the embedded system" appears to be drawing to a close. Anyone can desolder a 24-pin DIP EPROM and hack it, but trying to desolder a 100-pin PQFP is a real bear without $500+ worth of specialized equipment, and knowing what to do with the chip after you've desoldered it is well-nigh impossible.

Do you see a time when "hardware hacking" (as we've traditionally known it) will have to fall by the wayside? If so - what, if anything, do you see as taking its place? (Perhaps users taking advantage of the vastly more-powerful gear out there today and building their own hackable hardware, eliminating the need to hack other people's hardware?)

I suppose that's tangentially related to the wireless.net question - for mass distribution of the tools needed to build such a network, for instance, it seems to me that re-purposing cheap, widely-available stuff that others have junked is a better path than having to build things from scratch. But if the cheap, widely-available stuff of the future isn't gonna be re-usable... where does one go from there?

L0pht:
It is true that the Electronics industry is moving toward much denser Multi-chip module like IC's. System-on-a-chip (SOC) is beginning to make inroads in communications equipment. Celluar/GSM/PCS phones are beginning to sport such technology. SOC will also revolutionize the security coprocessor industry.

What we see here is the bar being raised in the HW hacking arena. Remember cost still drives much of the industry and you will continue to see many devices still using microcontrollers. There are many, many internet appliances using standard Embedded Processors and peripheral IC's. The hackers are just going to have to bone up on thier FPGA hacking skillz. Monitoring the inputs of an FPGA and then the outputs, and hacking together an FPGA to drop inbetween isn't unheard of.

Hardware hacking today does require a bit more than the standard weller solding iron, a 50Mhz scope, and a multimeter. With processor speeds moving up into the 800Mhz range, you fall flat on your face with those stoneage tools. The trend in general is hardware which is becoming more and more abstracted and described by high-level programming languages such as verilog and VHDL. One must stay abreast of the latest tools in his trade. There are also relatively inexpensive "soft" tools, in that a spectrum analyzer, logic analyzer or a scope utilizes the modern PC as the guts of the device and an inexpensive physical interface module is purchased along with software for the host. The interface is typically a data acquisition pod for converting the sampled analog data into the host PC for processing and the presentation.

The security of FPGA's is definately going to become more of a target in the future. I can't think of anyone that doesn't set the security bit of FPGA before programming a device. Ummm.. Hmmm.. maybe I shouldn't say that. ;^) It does happen. There are also some not so well known ways around "securty bits" on FPGA's. Also, most FPGA's will allow you to reprogram them in circuit whether or not the security bit is blown. You just better be sure you can reproduce what you monitored before squirting in your own code.

Remember there are many more ways to fry an egg, such as voltage margining, or operating a circuit over/under current and temperature specifications. Hitting HW with various RF emissions (above and beyond what stantard emissions/immunities tests test for.) can also produce interesting results and insights.

And as you alluded to in your question, hackers will build their own hardware which will interface to the service/system under attack, which will allow for variable, marginable, modules to provide the flexibilty which the stock standard HW didn't provide. Study communications test equipment. Many secrets lie inside.

A lot of today's "hardware hacking" isn't strictly limited to hardware, due to the fact that most products are embedded systems - meaning there is a union of hardware and software. Those who are strictly "hardware guys" will fall by the wayside and those who are strictly "software guys" will also fall. You will need to have a decent knowledge of both the software and the hardware environment you are programming for. I have seen companies struggle because they hire CS folks to write firmware for a product. These particular folks could not grasp that they were writing for a platform other than a PC or desktop. They didn't understand how interrupts worked, how to write to a port, how to write low-level drivers to control external memory or other devices on an SPI, I2C or other inter-chip protocol. What ended up happening is the company called in the hardware engineer (me) to write all the low-level functionality. In order to properly design a product (and reverse engineer the product), you need to be able to grasp all facets...

The industry today is really in a sad state and I am fearful of the quality of the products that are due to come out on the market - the hardware and circuitry is sound and well-structured, but the software will have major fault and, because of this, many possibilities for vulnerabilities.

C) The future of l0pht.
(At least publicly), there's been a lot more activity on the software side of l0pht than on the hardware side.

To the extent that you can discuss it openly, do you see l0pht's main activities over the next 3-5 years as continuing to revolve around the "expose weaknesses in software" side or the "work on next-generation hardware projects" side?

L0pht:
Both. Hardware projects, since the beginning of time, are more costly, require more tools than software, and mroe often than not, more time consuming. Due to this, the amount of publicly-known activity appears to be less. As mentioned before, there will be more and more projects that require the knowledge of both hardware and software sides, where L0pht fits the bill perfectly. There are so many products and technologies to look at, there is no way we can limit ourselves by saying what activities we will and will not do. If something comes out, be it hardware or software, that we want to attack, we will.

8)What engines/sites do you use to scour the 'Net?
by Bacteriophage
Seriously, I would like to know. When you sometimes don't have all the answers (I assume that would be more than never), where do you guys go on the 'Net to find what you need concerning computer security, **/*acking, or even just news? Do you ever come to /.? This answer shouldn't take very long, and it'd be nice to get the seperate preferences of each crew member, as well as the general preferences of the group.

L0pht:

Generic search:

Altavista or NorthernLight for a spider based search Yahoo for a topic search.

Ask Jeeves when I don't really know what it is I am looking for.

security/hacking: altavista - word sequences work well. A recent example would be a search for the PCI specification by looking for "pci spec".

yahoo - when altavista doesn't help

Hacker search:

• The Hacker News Network Search Engine Page - Lots of undergound spiders http://www.hackernews.com/search.html
• attrition stats - http://www.attrition.org/mirror/attrition/stats.html
• eEye stats - http://www.eeye.com/html/Databases/Statistics/os.html
• NMRC - Good Novell NT and Unix info. www.nmrc.org
• counterpane - for books (through amazon) and lots of free information on crypto too.
• www.jya.com/crypto.htm - for the good cypherpunk info

------

Next week: Steve Wozniak (and a special pair of *surprise* guests Tuesday).