I am doing some development in PHP and MySQL at the moment and was getting frustrated dealing with SQL. There isn't anything inherently wrong with SQL, it's just that I don't know it as well as I should. I wanted to make a backup copy of a table and had to look up the SQL syntax to do it, this was easy to do and it worked, but last night while my mind was coming down from its caffeine induced high I thought: "Wouldn't it be nice to be able to treat the database as a filesystem and use commands like mv, cp, rm, grep."
I then came up with an entire plan for how the directory structure could work, what projects I could look at to learn how to implement a filesystem (gmailfs, FUSE) etc. The last thought I had before 3am was: "I bet someone has done this already," and, they have.
Check out SQLFS (sourceforge page) and LinFS. Both seem quite alpha and I can't even find the download for SQLFS. Has anyone else used one of these or a variant? What were your experiences?
While doing some security blog reading I came across three posts which were dealing with underground hacking groups:
- The Invasion of the Chinese Cyberspies (And the Man Who Tried to Stop Them)
- Myfip Intellectual Property Theft Worm Analysis
- So who is Diabl0?
The first one is a much bigger story and doing the rounds on security blogs as 'Titan Rain', it hints at a very large powerful hacking underground, being a newbie to the security world I sometimes forget people like that exist and end up focusing on automated worm attacks and script kiDDiEs.
The third has an interesting update on the arrest of the author of Zotob and Mytob, including the group he belonged to, 0x90-Team, getting hacked and told to stop training script KiDDiEs without adding any actual knowledge. While the second has a great analysis of an interesting worm written for 'commercial' purposes.
So they all point to a criminal underground I don't see much each for a different purpose. A loner looking for intellectual property, a group of script KiDDiEs trying to break things and an elite hacking group.
According to one of our sysadmins, Guy Halse, our university webserver was hacked last weekend:
It appears that the University's main web server (lizard) was compromised at about 16:20 on Friday 26th August. The attacker(s) seem to have managed to exploit a security vulnerability in one of the many PHP scripts running on the server in order to obtain shell access to the machine. The shell they created was running with the same priveledges as the web server which means that it'll have had very limited access to files on the machine (it will only have been able to alter files owned by the web server process). We're reasonably confident at this stage that the attacker(s) did not manage to escalate priveledges on the machine or gain access to the "root" account.
Continue reading "Local PHP Compromise"
Today marks the start of HIV/AIDS awareness week at my University. It kicked off with a debate between various SHARC (Student HIV/AIDS Resistance Campaign) members, a representative of the national higher education HIV/AIDS body and our Dean of Students. There are a host of other activities planned during the week including a talk by Zackie Achmat, one of our most famous AIDS activists on Thursday.
On of my readers asked me what I though of Blue Lane technology's Patch Point. Either they have come up with some revolutionary new product or they are spouting marketing speak and selling an IDS.
PatchPoint is a network appliance-based solution that emulates vendor patches inline, which enables servers behind PatchPoint to continue performing as if the appropriate vendor patch had been installed. PatchPoint instantly creates a patched state for critical servers, which means that the vendor patches can be deployed at a later, more convenient time.
Their description of how it works makes it sounds a bit like an IDS with an ActiveFix being a signature. Other than that the site is scant on technical details. If this is an Intrusion Prevention System integrated into a device then that could be a pretty cool idea, but I think they will have trouble providing the same community support as snort and bleeding snort.
But right now the unclear marketing speak makes it look like snake oil.
UPDATE: Thomas Ptacek's Second Rule Of Security Marketing
If your inline network security device claims to provide "virtual patching", the box must use the actual binary patch from Microsoft to do it.
I noticed that Google recently started using some sneaky JavaScript to redirect page clicks via them. This is usually done to allow better usage stats. I don't want Google to have more personal information about me than I already give them and it is irritating to copy a link and have to de-googlify it.
For example, this search, will take you to:
http://www.google.co.za/url?sa=t&ct=res&cd=1&\
url=http%3A//www.faqs.org/rfcs/rfc3092.html&ei=6Q0FQ-vAH8a2YLq_tf4J
If you click on the first link. The above is the result of a Right Click on Link -> Copy Link Location.
So, because I think tinfoil is in this winter I hacked up the Google Sanitiser (source). Clicking directly on the link will redirect you to 'real Google'. This PHP just passes on your normal Google request string and strips the <script> tags and their contents. It also rewrites some <img> tags. Here is a Mozilla/Firefox search plugin for it. Just put it in your ~/.mozilla/searchplugins directory. Now look at the same search, but sanitised. Feel free to host your own sanitiser and save my server bandwidth.
UPDATE 24th Aug 2005:
Ha ha, Google thinks I am spyware. I am not sure what the legalities of this are. I can't see there being much unless they want to outlaw browsers that don't support Javascript. My logs show that a total of 16 people have used the script a total of 32 times (excluding me, I make it 61), this isn't very much so I doubt it is some form of anomaly detection (although it could be).
I moved the script over to another webserver and it worked fine and the sitesearch from my blog worked fine. This indicates they are not just blocking on the hostname or IP. I then tried:
- all sorts of URL modifications including changing the path and vhost name
- removing the <img> tag rewriting thinking that maybe they are picking up on those requests
- I changed from google.co.za to google.com
- I changed/added (fopen doesn't have one by default) the user-agent string
None of these worked. So I whipped out netcat and noticed that PHP's fopen() was adding a "From: phpfopen@rucus.ru.ac.za" header. This appears to be what they are using to block the script. To get around this I stopped using fopen() and now use curl. This allows me to craft my own header which looks like a webbrowser. I even deflate the mod_gzip'ed html. This works great.
Check out the new improved version here. I added in a check to make sure you are coming from my netblock to encourage you to run the script from your own site. Also if I get any nasty e-mails from Google I will take it down, I am not that interested :)
There is also a Japanese translation of this entry available here, thanks to Keiji Takeda.
Continue reading "MS05-039 and the Zotob summary"
There is a nice mix of technical, governance and theory articles, coupled with some useful side notes, like good security blogs. TaoSecurity is mentioned quite a lot and Bejtlich, mentions the mag in his blog too.
This issue contains:
- Security vulnerabilities, exploits and patches
- PDA attacks: palm sized devices - PC sized threats
- Adding service signatures to Nmap
- CSO and CISO - perception vs. reality in the security kingdom
- Unified threat management: IT security's silver bullet?
- The reality of SQL injection
- 12 months of progress for the Microsoft Security Response Centre
- Interview with Michal Zalewski, security researcher
- OpenSSH for Macintosh
- Method for forensic validation of backup tapes
Update: I moved the code to my github repository, get it there.
(See other updates at the bottom)
Many South African Vodacom cell phone users are stuck with a horrid piece of website known as Vodacom4Me. It uses frames and Javascript to ensure some of the slowest load times you can imagine and has a session cookie that expires rather too quickly, leaving you watching page loads most of your day. In addition it is often buggy. The reason many people bear with this awful service is that it lets you send 20 free sms (text) messages a day.
A long time ago this service used to be free and open to anyone, back then we had a cool perl script written by our resident perl guru, Jonathan Hitchcock. However this service soon changed to a login based service and I released a modification of his script. The web team at vodacom then decided to bludgeon the page a bit more and my last attempt has sat idle and not-working.
However, after some considerable effort, I present the new and improved vodasms.
Continue reading "Commandline SMS v2"
SANS has raised their Infocon warning level to yellow. This is because of a large number of exploits available for holes Microsoft patched last week. Patches need to be applied quickly. Releasing all of these patches at the same time still doesn't feel right to me;
- Testing down time for an individual patch would be shorter than having to test several patches
- There would be fewer workarounds that needed to be monitored, thus reducing the chance of human error
- There would be less chance of something breaking as the changes being introduced would be smaller and easier to debug
I find a good place to monitor for released exploits are:
UPDATE: SANS and Fsecure are reporting that a worm (Zotob) has been released for the PnP vulnerability (MS05-039). Uh-oh. It only affects machines with port 445/TCP (microsoft-ds) open, so if you can't patch, firewall.
Why is the CTO of ISS looking for shellcode that works against Cisco's IOS? It seems the feud may be ongoing.
UPDATE: Or just gathering info for their IDS?
In the security bulletins Microsoft released today at least three, Internet Explorer patches, had corrupted, digital signatures. Microsoft are working hard to resolve the problem, they seems to have found the cause and things will be right as rain soon. That doesn't bother me too much, although it does create the akward situation where some users can't download a patch and the exploit is already out, what bothers me is the way this was described. "This only impacts users downloading via Download Center", but this is exactly what it would look like if someone had compromised the patches. Nobody seemed to think about the possibility of hacked patches and Microsoft didn't have to say they weren't hacked, just a bug.
Frankly, patches are a sort of holy grail of malware distribution. Imagine getting a piece of malware distributed via microsoft update. You would be able to infect thousands of machines and have administrator privileges. Digital signatures provide a way for us to know that the patches we are downloading are from who they say they are, if they are ignored the mechanism is pointless.
This indicates two problems:
- Microsoft's update software and third party update software should have more stern warnings about digital signature problems.
- Administrators should have be more aware of the potential for abuse from patches.
UPDATE: Added link to IE blog.
UPDATE II: All fixed
UPDATE III: Oh come on now, Russell and Mark point out that going to https://cb1.msn.com will get you an invalid cert warning. Did someone over there just decide cryptography is a marketing ploy that isn't working?
UPDATE IV: Thanks to Vhata for pointing out that this entry was quoted in a news story, which is repeated here, here, here, here, here, here and here.
I was looking through Google groups for the earliest mentions of the phrase "patch management". It seems 1992 is the year, although the phrase seemed to be in common use before then. Sun, HP and BSD were three large vendors already dealing with the problems of patch management. It is very funny to read the comments in the messages and see recent research and articles with similar titles. Why has it been 13 years with only minor improvements?
This article from 1996 talked about how 80%-90% of intrusions are due to known vulnerabilities for which there is a patch. Currently CERT reports that 9/10 intrusions are due to known vulnerabilities for which there is a patch. If we take these stats literally, then patch management has gotten worse. In reality it look like it has stayed the same.
It is interesting to note that the three unix vendors mentioned above were dealing with many of the problems Microsoft has only recently had to face. Q: Is unix patch management more mature? A: Sometimes.
I just re-read Schneier's essay entitled "How liable should vendors be?", and I wonder if this really is a good idea. It sounds like one, but I am not sure. Imagine this:
A vendor releases software to the public with the understanding that it has undergone a mandatory and well defined code/security audit. Any standard vulnerabilities found in the software running in a reasonable configuration must be paid for by the vendor. The amount can be decided based on the vulnerability's (standardised) criticality. The amount of money should not be the total cost of the vulnerability to customers, as that is difficult to determine, especially on a regular basis, but should not be too insignificant as to cause it to have negligible impact. There may need to be some consideration for the size of the company and the popularity of the software.
Often security researchers publically release exploit code to force the vendor to fix a vulnerability. With this model any authors of exploit code beyond what is necessary to disclose the vulnerability will also be fined, as the cost of the vendor fine should be enough impetus to fix the vulnerability. If it is not, then formal avenues can be pursued to either increase the fine or take other appropriate action against the vendor. This would obviously be ineffective against anonymous disclosures.
As for the money, it can go to a number of places: international cyber-defense institutions such as CERT and the SANS ISC, the security researcher who discovered the vulnerability (this may help prevent 'underground' research, but I am not convinced) or some sort of patch quality testers who would help to ensure quality patches are disseminated as quickly as possible. This is all a bit pie in the sky and not central to the model.
Continue reading "Should vendors pay for security vulnerabilities?"