August 9th, 2008

Black Hat Las Vegas Day 2

Posted by Nathan McFeters @ 10:31 am

Categories: Arbitrary Code Execution, Black Hat, Black Hat Las Vegas, Browsers, Complex Attacks, Exploit code, Hackers, Java, Locally Running Web Servers, Microsoft Blue Hat v7, Research, Responsible disclosure, Social Networking Applications, Sun Microsystems, Vulnerability research, Web 2.0, Web Applications, Windows Vista, Zero-day attacks

Tags: black hat, microsoft corp., applet, image, vegas, nathan mcfeters

Again, sorry for the late updates.  Vegas is the kind of place that demands a lot of a person.  Too many parties make it difficult to find time to blog on the conference.  Pictures of the even are a bit sparse, due to consistently forgetting to bring my camera, but I will post them shortly.

Day 2 began a bit rough for me, but I forced myself down to catch Shawn Moyer and Nathan Hamiel’s talk, “Satan Is On My Friends List”.  The talk was really solid, and focused on attacking social networking sites, such as MySpace, Adult Friend Finder, and LinkedIn.  The pair pointed out numerous flaws with these sites, such as impersonation, theft of sensitive data (pics etc.), arbitrary code execution (through various plug-in applications).

Read the rest of this entry »

August 8th, 2008

Black Hat Las Vegas Day 1

Posted by Nathan McFeters @ 1:57 pm

Categories: Adobe, Arbitrary Code Execution, Black Hat, Black Hat Las Vegas, Complex Attacks, Data theft, Denial of Service (DoS), Exploit code, Flash, Hackers, Kernel-level Exploits, Responsible disclosure, Vulnerability research, Zero-day attacks, ~Special Series~

Tags: black hat, billy rios, dan, phishing, cyberthreats, spam, viruses and worms, security, spam and phishing, nathan mcfeters

Well, this is well late, but here’s my recap of Black Hat Day 1. Sorry for the delay, but I’ve been terribly busy finishing up preparations for my Day 2 talk.

The first talk I went to see, “Pointers and Handles, A Story of Unchecked Assumptions in the Windows Kernel”, by Alex Ionescu, discussed a number of vulnerabilities in the Windows kernel-mode library responsible for the Windows GUI subsystem. Most of this talk centered around attacking code where bad assumptions were made regarding the validity of pointers before they are dereferenced, and abusing the kernel mechanism of “protect from close” handles.

Read the rest of this entry »

August 2nd, 2008

On GIFARs

Posted by Nathan McFeters @ 10:37 am

Categories: Black Hat, Black Hat Las Vegas, Browsers, Complex Attacks, Data theft, Exploit code, Hackers, Java, Linux, Microsoft, Mozilla, Research, Responsible disclosure, Sun Microsystems, Vulnerability research, Web 2.0, Web Applications, Zero-day attacks, eBay, ~Special Series~

Tags: Black Hat, Vector, Applet, Image, Attack, Heasman, Nathan McFeters

Ever since Rob McMillan of IDG published a story giving a preview of our coming Black Hat talk, specifically a preview of the portion of our talk related to GIFARs, media coverage of the research has swirled a bit out of control and there’s been some misconceptions.  My co-presenter John Heasman has a write-up on GIFARs that explains this all just a bit more.

We of course want to avoid giving all of the details until Black Hat, where it will be much easier to demonstrate with an example, but this should clear up some of the misconceptions.  If you happened to see PDP of Gnucitizen give his talk at Black Hat Amsterdam last year, this combination of images with applets stuff might not be brand new to you.  We were unaware of PDP’s research at the time of our discovery, but that was fortunate, for it allowed us to take a different path, using HTTP requests to piggy-back the browser’s cookies.  To clarify, PDP’s research and ours is similar only in the fact that we both use applets within images to accomplish our goal of attack.  Heasman explains the usefulness of this on his blog, so I won’t rehash it here.

We’re excited to present on this topic, but we are even more excited for what we hope to present at Black Hat Japan, which extends this attack even further, making it more dangerous.

Read the rest of this entry »

August 1st, 2008

Black Hat Sneak Preview

Posted by Nathan McFeters @ 12:46 am

Categories: Adobe, Black Hat, Black Hat Las Vegas, Complex Attacks, Exploit code, Flash, Google, Hackers, Java, Research, Responsible disclosure, Sun Microsystems, Vulnerability research, Web 2.0, Web Applications, Windows Vista, Yahoo!, Zero-day attacks, ~Special Series~

Tags: Black Hat, Java Applet, Web Application, Web Browser, Applet, Attack, Billy Rios, GIFAR, Java, Programming Languages

Rob McMillan from IDG interviewed John Heasman and I today about the presentation we will be delivering with Rob Carter at Black Hat Vegas next week. The article has a good teaser about one of the more interesting of the many attacks we will cover, namely what we’ve coined the GIFAR attack. We’ve also got a previous teaser that I covered here on some of John Heasman’s work on NTLM relay attacks through Java applets.

For those who are not familiar with this, we originally discussed it during the Black Hat webcast. The attack involves combining two files, for instance a GIF image file and a JAR (Java Archive) file that contains class files for a Java Applet. GIF+JAR=GIFAR. The idea is that the file will be rendered as a valid image by a browser; however, it will also be treated as a valid JAR file for use as a Java Applet by the Java Virtual Machine.

Read the rest of this entry »

July 31st, 2008

Black Hat talk on Apple encryption flaw pulled

Posted by Nathan McFeters @ 7:11 pm

Categories: Apple, Black Hat, Black Hat Las Vegas, Hackers, Microsoft, Research, Vulnerability research, Zero-day attacks, ~Special Series~

Tags: Black Hat, Researcher, Apple Inc., Flaw, Security, Nathan McFeters

Brian Krebs from the Washington Post “Security Fix” Blog reported that one of the talks slated for next week’s Black Hat convention on a previously undiscovered flaw in Apple’s FileVault encryption system has been canceled, the researcher citing confidentiality agreements as the reason he will not be speaking.

The article states:

Read the rest of this entry »

July 24th, 2008

Kaminsky suggests long-term fix will still have to be determined, but patch now, or pay soon

Posted by Nathan McFeters @ 2:30 pm

Categories: Black Hat, Black Hat Las Vegas, Complex Attacks, Exploit code, Hackers, Metasploit, Patch Watch, Research, Responsible disclosure, Vulnerability research, Zero-day attacks, ~Special Series~

Tags: CERT, DNS Server, Server, Kaminsky, Dan, Patches, Domain Names, Security, Internet, Nathan McFeters

I listened to the Black Hat webcast today to grab as much info as I could on this subject. The biggest thing that I heard from the whole talk is that the patch fixes things to a reasonable point, but that long-term, there will have to be more work done to prevent the issue. Before I get into the details, this was not an interview, I was simply taking shorthand notes, so I did my best to get direct quotes of what was said, but in some cases, this may not be 100% accurate, so, if any speakers from the webcast or readers of the blog see errors, please email me and I will quickly make the strike through and change.

Kaminsky said that,

The exploit is now 10s of thousands of times harder, but still possible. 1 in several hundred million to 1 in a couple billion.

and

If it took seconds to minutes before, it still could work, but now it’s days or hours at worst.

Click below to read the rest…

Read the rest of this entry »

July 21st, 2008

2008 Pwnie Award nominees announced

Posted by Nathan McFeters @ 9:12 am

Categories: Adobe, Arbitrary Code Execution, Black Hat, Black Hat Las Vegas, Complex Attacks, Data theft, Exploit code, Firefox, Flash, Hackers, Kernel-level Exploits, McAfee, Microsoft, Research, ToorCon Seattle 2008, Vulnerability research, Web Applications, Windows Vista, Zero-day attacks, ~Special Series~

Tags: Nominee, Vulnerability, XSS, Attack, Flaw, Dan, XSS Flaw, Lifelock, Security, Nathan McFeters

Well, after getting 134 nominations, and spending countless hours pulling out nominees, the judges for the 2008 Pwnie Awards have announced the final nominees to be voted on.  From the site:

The final list of nominees for the nine Pwnie Award categories is finally published. We’ve received some really good submissions and it was not an easy task to narrow them down to five nominees per category, but we hope that we’ve done a good job. The next step for the Pwnie Awards judges will gather in an undisclosed location prior to the award ceremony and vote on the winners.

I’m especially excited about this, since Rob Carter, Billy Rios, and I were nominated for the Best Client-Side Bug for our URL and protocol handling flaws research; which just seems to never end by the way (and keeps continuing… see a future talk we will put on at some Black Hat down the road).  We’re up against some stiff competition though, including my fellow Ernst & Young Advanced Security Center co-worker Nitesh Dhanjani, which makes it a great year for EY with three current (myself, Rob Carter, and Nitesh Dhanjani) and one former member (Billy Rios) involved in the pwnies.

For more, read-on!

Read the rest of this entry »

July 17th, 2008

Romanian authorities arrest cybercrime suspects

Posted by Nathan McFeters @ 7:02 pm

Categories: Black Hat Europe, Black Hat Federal, Black Hat Las Vegas, Phishing, eBay, ~Special Series~

Tags: Arrest, eBay Inc., Romania, Romanian, Phishing, Identity Theft, Cyberthreats, Spam, Viruses And Worms, Security

Well, eight days, and a joint effort to help prevent phishing and two major arrests related to identity theft, and I feel like we’ve made a decent attack on the identity theft culture. Score one for the good guys for once.

Just a day after reading Dancho Danchev’s story on Owen Walker being arrested, and about eight days after Dancho covered a story on eBay, PayPal, and Google teaming up to combat phishing, we have a large group of about 20 people arrested in Romania on charges of running online fraud schemes. From Grant Gross of IDG News Service:

Authorities have arrested more than 20 people in Romania who are suspected of running online fraud schemes, according to media reports.

The Tuesday arrests were confirmed by the U.S. Federal Bureau of Investigation, which has been working with Romanian officials on cybercrime in recent months. The FBI would say only that the agency is aware of the arrests and because “this is an ongoing matter, we will have no further comment at this time.”

Read the rest of this entry »

July 15th, 2008

Kaminsky to discuss DNS flaw at Black Hat sponsored webcast

Posted by Nathan McFeters @ 3:35 pm

Categories: Black Hat, Black Hat Las Vegas, Hackers, Research, Vulnerability research, ~Special Series~

Tags: Black Hat, Webcast, DNS, Flaw, Domain Names, Networking, Internet, Nathan McFeters

The Black Hat group on Twitter provided a message today alerting people to a webcast to be put on by Dan Kaminsky on the DNS vulnerabilities that I’ve heavily covered as follows:

• Dan Kaminsky breaks DNS, massive multi-vendor patch coming, details at Black Hat Vegas ‘08
• Kaminsky and Ptacek comment on DNS flaw
• Don’t doubt Deputy Dan

The story has also received extensive coverage over at Securosis, where Rich Mogull has provided a podcast on the subject.  The Black Hat webcast details are listed below, including the registration information:

Registration Now Open for BH Webcast number 2 With Dan Kaminsky

It’s all over the news: Dan Kaminsky found a major, fundamental flaw in DNS that renders practically any name server vulnerable. He’ll be speaking in depth on this discovery in August at BH USA, but he’s agreed to discuss it a few weeks early. Get your best questions ready - the webcast will be live Thursday, July 24 at 1pm PT/4pm ET.

Join Dan Kaminsky, director of penetration testing for IOactive; Jerry Dixon, former director of the National Cyber Security Division at DHS; and other experts to discuss the largest synchronized security update in the history of the Internet. Dan will tell the story behind the discovery, and the process of creating and deploying the fix.

I’ll be there, as it’s always interesting and entertaining to hear Dan talk.  Also, you should note that Dan’s talk at Black Hat is followed up by my talk with Heasman and Rob Carter in the exact same room.  Might I suggest you just hang out and see our devastating talk as well?  With a title like “The Internet is Broken“, you can imagine we have a lot of interesting stuff to deliver.  Shameless plug, I know, but we’ll make it worth your while.

-Nate

July 15th, 2008

Finding the name behind the GMail address

Posted by Nathan McFeters @ 12:21 pm

Categories: Black Hat, Black Hat Europe, Black Hat Federal, Black Hat Las Vegas, Google, Hackers, Microsoft Blue Hat v7, Research, ToorCon Seattle 2008, Vulnerability research, Web Applications, Zero-day attacks, ~Special Series~

Tags: Google Inc., Google Gmail, SecuriTeam Blog, Phishing, E-mail Providers, Cyberthreats, Cloud Computing, Spam, Viruses And Worms, Security

Ah, this is a fun little trick.  I’m not sure if it represents a vulnerability, but certainly I expect Google will try to get rid of this feature.  The SecuriTeam blog has reported that it is possible to expose the full name of the user who registered a GMail account.   This is, of course, contingent on the fact that the person who registered the GMail account didn’t use a fake first and last name, but still, an interesting trick.

The reason this vulnerability exists is due to the strong tie-ins between GMail and all of Google’s other services, such as Google Calendar, Blogger, and Google Code AND the strong desire for Google Apps to be able to share data with people.  This isn’t the first time, the second time, or the last time the strong tie-ins have produced interesting results, see my post on Billy Rios’s Google Code exploit, Billy’s taking ownership (pwnership) of content attacks against Google Spreadsheets, Billy and I stealing documents from Google Docs, and see my talk at Black Hat for more.

The steps to accomplish this are as follows:

1. Sign up for Google Calendar
2. Go to the ’share this calendar’ tab
3. Enter the email address in the ‘person’ box
4. Click ‘add person’ and ’save’
5. When you return to this screen you will see the first and last name along with the gmail address

Read the rest of this entry »