Archive for the ‘technology’ Category

« Older Entries

So, you pillaged a domain controllers hashes…

Wednesday, February 29th, 2012

So you’ve managed to find your way to a domain controller, perhaps used metasploits meterpreter, perhaps got system, migrated to lsass.exe and perhaps were able to use incognito to smart_hashdump and nab all the password hashes.  Well, you can hand those off to john the ripper and it will happily crack the LM portion of what you’ve got – but you’ll end up with a bunch of uppercase passwords.

Enter lm2ntcrack.pl – a dandy little perl script that will take the uppercase password and use it as a dictionary to crack the NTLM password for you. Only trouble is that since it was written, the awesome guys  at openwall who develop john the ripper have changed the output format of cracked password files. The lm2ntcrack input format was written for a ~2009 version of JtR, so to get it properly working someone had to go and make a tiny tweak in the script where it analyzes the syntax/order of the input file.

So I did it! First time, actually, that I’ve done something like this. And it appears to work! – at least it works on the ntlm hashes I have from a demo network.

 

Anyhow, here’s my updated copy of the script - lm2ntcrack-viss.pl

 

Save that as a .pl file (it’s a .txt so it doesn’t get run on the site).

Feedback welcome!

Tags: , , , , , , , , , , , , , , , , ,
Posted in protips, technology, training | No Comments »

Get your creep on

Tuesday, January 24th, 2012

About a week ago, I stumbled across this post in google reader:

Console Cowboys -I always feel like somebodies watching me.

I read it, I was impressed, and it immediately reminded me of previous work I’ve done. In collaboration with @achillean we scanned the whole internet looking for ddwrt routers with a directory traversal vuln, and wrote a script to step through the findings.The result was a map you could use to find routers based on their mac addresses. The vulnerability was information disclosure of the wan mac address, which likely would have been found by the google street view cars, and the skyhook cars during their sweeps, so if you know the wan mac address of a router, you can translate that to a physical location on a map. I thought this would be perfect to apply the same formula to – except in this case it would be difficult to pinpoint where the camera actually existed unless there was some kind of information disclosure in the video stream itself.

Now let me make this abundantly clear: Nothing is getting recorded or saved. The output here are IMG SRC html links to cameras on the internet. Your browser renders those image streams directly from the cameras. Nothing gets saved or written unless you explicitly choose to save something – kind of like watching television – unless you dvr something or god forbid still own a vcr, in the same manner, you have to choose to record things. That onus is on the viewer.

The author of the console-cowboys blogpost wrote a script to do all the proper API calls against shodan to search for the cameras, then another loop to manually test each result found for the path that shows video. If an HTTP 200 OK was returned for the path, the url was saved.

I took that script, and simply added IMG SRC tags to the output, also adding threading during the checks and one or two small performance tweaks – my second python script ever, and I’m already using threads! (I was kind of proud of this :D )

The results looked something like this. Very simple, but effective:

 

Each image there is actually video. The cameras each output mjpg straight to the browser, so firefox and chrome were both happy to render video. The trouble was that I found more than 550 cameras – so loading that html into a browser caused my ram and cpu to spike.. a lot. It also wanted 2 megs a second (MEGS, not megabits..) of bandwidth just to view the cameras. So I used the split command to tear the huge list into 6 parts, each list containing 100 cameras, and one with ~56 or so. I posted it off the main website before having writing the script – there were several pastebins floating around with the camera list already, so adding html tags to that was dead easy.  I had 200-300 cams in one giant html posted maybe 5 days ago. Everyone had a laugh, and one friend even interacted with one of shops. It was all in good fun for about a week.

Last night I had a member of the information security community raise a concern with me. There was a discussion, and in the end I was berated and called names. As such, I’ve taken down the cam streams from my site. However, I’m absolutely happy to post my script that  generated all the cam streams, since its just a updated version of the console-cowboys posting. I encourage you to buy a shodan account like I did, get an API key and have a look at the sort of things people find valuable enough to put on camera. You’d be surprised. Most of it is HORRIFICALLY BORING, but some of the cameras are streaming labs and industrial areas with what appear to be scada devices and other interesting stuff. I’m glad that the girl in the pizza shop had a sense of humor about it, so good on her for that.

I also encourage you to do some research before you buy something like an internet-enabled camera so that you better understand what it is you’re getting yourself into – there’s a chance your camera has not only a ‘known vulnerability’, but a flat out hardcoded backdoor, like these cameras. This is BY DESIGN. Trendnet wrote in a back door.

Anyhow, I was going to use this as material for my LayerOne presentation if my CFP submission got approved but if there are more infosec patrons out there like our generous benefactor here I can expect more headaches the more I talk about this stuff, so I’ll have to think of something else (sorry Noid/Datagram/M).

Now for the meat!

Here’s the script: camcreep.py

You’ll need to install gevent and shodan modules for python. Google can help you with that.

You’ll need a shodan API key: Shodan API key (insert it where it says ‘key =’ .. you’ll see)

I ran this on my mac with 150 threads. It returned about 10,000 results from shodan, and took Just a hair shy of 7 minutes to run.

The script outputs “camlog_new.html”. Thats one giant monolithic file with ALL the cameras. You’ll want to use the linux ‘split’ command to slice it up into various files. I manually added the page links to the bottom of those files since there were only 6 of them.

Also, since I did this all using chrome, I was using “Ultimate Chrome Flag” which is a really neat extension that lets you see some IP GeoData about the site you’re on. If you right click, then open a cam stream in a new tab, you should see the little flag on the right hand side of the URL bar – that will at least tell you what city or major geographic region the camera you’re viewing is in.

Happy Hunting!

Tags: , , , , , , , , , , , , , , , , , ,
Posted in rants, technology | 2 Comments »

(almost) 90 days with the Motorola Xoom

Monday, May 16th, 2011

Just about three months ago I wrote a quick post about having the Motorola Xoom for approximately 12 hours.

First I’d like to address some of the points I made in my last post:

Now the TODO list:

  • I have both ubuntu and backtrack5 running on this thing in chroots. While I now have access to tools like nmap, skipfish and other command line tools, some of the interesting ones (ettercap, aircrack) do not yet function due to lack of the proper kernel modules. I’ve contributed to the Tiamat kernel thread on the XDA forums asking if adding that kind of functionality was feasible.

 

Verdict:

Everywhere I go, I get asked “is that the new ipad?” and I answer “no, its better”. People look confused. I used to get into debates about it, but now I just dont care. I’ve accepted the fact that the vast majority of people prefer a snappy UI and pretty pictures over functionality and an open attitude. I’ve recently figured out how to get my eye-fi to work with the thing, and I’ve been out a few times while taking pictures and having them zip from my leica directly over the xoom (this is a REALLY cool party trick – I intend on utilizing this somehow combined with a projector at this years ninjapenguin party.).

This platform does everything I need that doesn’t require massive horsepower including simple security tasks – like portscanning and browsing open fileshares, nmapping, and running metasploit. I can watch movies on it, get directions (chrome to phone is awesome on this thing), watch full-screened high-res episodes of southpark from southparkstudios.com and other flash sites (since it supports flash) browse full HTML5 and flash websites, and even set it up like a mini entertainment set – with the jawbone jambox speakers setup as bluetooth speakers.

It’s overclocked from 1ghz to 1.6 ghz with little to no impact on the battery. The modified kernel allows me to have external SD storage enabled and PTP and USB OTG modes so that I can plug in external devices and storage (though I have not yet tried a mouse or keyboard, usb sticks and my leica d-lux 4 work like a champ – for some reason the d3s isn’t properly recognized, so I’ve opened a ticket with google). I hope to use it in a photography sense as well (in Vegas this year, if I’m lucky) with the square reader and squareup app – which lets me accept credit cards as an individual. I can torrent from the thing, as well as use it as a backup phone by way of a skype-in number and a bluetooth headset. The list just goes on and on!

I’ve been tapped to use it as a support tool – once at drinkup a friend had a need to use a variety of basic linux tools such as traceroute, ping and telnet – I was able to hand him my xoom in an ubuntu chroot and tell him ‘go to town’. I can use it to remote control any of my computers as well, even remotely ‘hamachi style’ using a tool called neorouter.

I intend for this to be my “computer” while I’m at Defcon/Blackhat this year. I can easily offload all my photos to it, and it does everything I need while I’m on the go. Someday I hope to actually give a talk from this thing, completely without a laptop.

tl;dr: If you just want a toy, buy an ipad. If you want a tool? Buy the xoom.

 

Wishlist:

  • I still want a site survey tool. Especially overclocked past %50. this thing screams.
  • Having the jambox speakers helps when I want other people to hear stuff, otherwise I want a case that has little ‘ears’ to funnel the speakers forward.
  • Having backtrack5 on this thing is badass, but some of the more impressive stuff is unavailable – I cant send arp traffic and I cant put the wifi interface into monitor mode or inject traffic. I’ve asked about it on the xda thread.
  • I really wish someone would port VLC over to android. This hardware has so much still untapped potential – I want to be able to watch a 720p mkv. Standard dvd rips work fine, highres stuff chokes – because the players don’t leverage the GPU
  • I want to find out why the hell it doesn’t work with my Nikon D3s. It sees the camera, but never sees any photos. wtf?

Tags: , , , , , , , , , , , , , ,
Posted in insight, review, technology | 2 Comments »

How I met your router

Monday, May 2nd, 2011

I suppose you can call it “arriving late to the game” – I’ve only been on the full disclosure mailing list for something on the order of 6-8 months. In that timeframe I saw some interesting (but not ‘interesting enough to make the real news/blogs/etc) vulns and posts come through.

During that time I’d also spent a lot of time playing with shodan. In my downtime I’d spent hours upon hours, up until 4am some days doing searches on shodan for unprotected or easily accessible security cameras (korea has a TON of them all monitoring construction sites, for some reason). Finding traffic cameras in LA, then making a game out of trying to identify the intersection using google streetview.

That horrible movie ‘eagle eye’ starts coming to mind about now, as I’m honing my skills of being able to find all sorts of stuff and tie datapoints together.

One day on the full disclosure list I see this. The first thing I did was go STRAIGHT to shodan and start searching for dd-wrt routers accessible to the internet. I think I did this in something like Dec ’10 or Jan ’11 – I found 8000 or 9000 devices.

I wrote a quick perl script to step through the output of the search and try to see if it was worth it to do something interesting with the data, and out of the resultset I had, I got about %30. Not bad, something like 2000 dd-wrt routers, publicly available, vulnerable to a very simple information disclosure bug.

I immediately thought of Samy Kamkar. His ‘how I met your girlfriend’ talk at blackhat ’10 was hilarious and spectacular (and in getting the link to write this post I found this – cool! didn’t know that android phones were sending that data home. Thats cool and creepy at the same time) - I wondered how that would apply to my findings – so I tried a few of them. I got limited results – something like 700 or 800. Thats not too bad! The workflow kind of looked like this:

 

Vuln -> full disclosure -> shodan -> vuln assessment script -> google location script -> results.txt

 

Once I had a bunch of results in a textfile, I wasn’t really sure what to do. I knew I could try and make a google maps hack, but having never done that before I started asking around for help, so I turned to John. I told him that I’d used shodan for the datamining portion of this little quest, and he offered to help! I had no idea he’d build a little search utility around it – that was awesome. You should check it out, he did a really awesome job!

http://www.shodanhq.com/research/geomac

And heres some more background beyond what I’ve already written that details the more technical aspects of these findings:

http://www.shodanhq.com/research/geomac/report

 

Posted in insight, news, technology | 1 Comment »

12 hours with the motorola xoom

Friday, February 25th, 2011

I was the first person in the door to pick up the new xoom at my local verizon retail store. They mentioned they only had 15, and I jokingly laughed asking “what the hell is this? no line out the door and around the building? dont people know whats going on?”

I’ve been watching the xoom for a few months now, smiling, grimacing, laughing, complaining – as the rumors and news dribbled out.

First Impressions from the first 12 hours:

PROS

  • its FAST. I mean FAST.
  • Angry birds goes very very fast. I presume I’ll be spending a lot of my bored-time screwing with it.
  • I’m now in something like a dozen concurrent games of words with friends.
  • The first thing I noticed was that it supports full-disk encryption. I turned that on right away.
  • The calendar app is awesome, very fluid and easy to use.
  • I can very nearly type two handed on the keyboard as if it were a regular computer keyboard. I’m certain this will improve with time, I’m making a ton of typos.
  • I can video-call my fiance in england from ANYWHERE using google voice chat. Its glorious and awesome. I propped the thing up between the shifter and the dash in my car to test it, and sitting in traffic it was high res and clear, high frame rate. We’re finally in the future – I can internationally video call from the car for free.
  • I love that in video-chat you can switch back and forth between the forward facing and the rear cameras. That right there will be EPIC for any instance where you need someone to show you something, and they want to see where the camera is pointing. Normally (like on laptops) this means having to point the screen away from you, so you’re filming but you can’t see what you’re filming.
  • There was a root howto up less than 6 hours after I bought it.
  • Using it as navigation in the car is BEAUTIFUL. That alone makes me want to build a mount for it so its held properly.
  • Using it as a giant touchpad for my windows/gaming box which is plugged into my 50″ tv is GLORIOUS. It works as a giant touchpad (link). I will be using this A LOT.
  • It supports multiple google accounts, allowing one to use personal and multiple ‘other’ accounts at once. This is particularly useful for me as I’m a contractor/consultant and I often have to manage multiple accounts.
  • Its been said this thing will support usb host mode, meaning I should be able to plug
  • One chief complaint I’ve read was that apps that were ‘made for phones’ look ‘stretched and bad’. Well, the ones I use actually look BETTER. Like wifi analyzer, tweetdeck and antennas. GPS test plus looks RAD!
  • Another complaint people had were that the speakers faced back – I just hold it cupping the speakers and it channels the sound towards me. I’m half tempted to make a couple little ‘ears’ for the thing out of hard plastic that channel the sound forward, and double as an angular stand. Maybe one whole thing that does that plus has a kickstand (HINT HINT PEOPLE WHO HAVE MANUFACTURING CONTRACTS)
  • I feel a lot less constrained – I imagine my phone now will not need to be checking twitter/email/gtalk/etc and I’ll be doing that on the xoom, so my phones battery should last longer.

CONS

  • It cant see my jawbone jambox for some reason. It can see my laptop and my phone, but not the bluetooth speakers (!?!?! no idea. I’ll wait until I get my ubertooth zero to find out wtf.) No Idea what I did differently this time, I got it working. *shrug* – sounds badass too :D
  • I can’t control my parrot ar.drone with it (yet) because I need to find a hack allowing the xoom to associate to ad-hoc networks – though theres another way around this by making the ar.drone associate to an infrastructure AP
  • Skype doesnt support video calls (yet)
  • I really like the HTC clock on my incredible. I want it on the tablet!
  • Now that its rooted, I want to stream movies from my drobo – I can do that on my phone by using cifsmanager, which drops a kernel module in enabling cifs client support – so apps simply think theyre pulling from local storage. After installing it, the xoom said ‘this application isn’t installed’ when I tried to run it. Weird.
  • I cant shake the feeling that I absolutely need to find a way to block the in-app ads. Even on a tablet, they take up a lot of real estate.

TODO

  • Try to get nmap running
  • Try to install debdroid, see what happens
  • Look into seeing what it would take to get pyrit or the aircrack suite running on this thing
  • I WANT DRIFTNET FOR THIS PLATFORM \o/
  • I want to setup ettercap + sslstrip + daemonlogger on this platform
  • I want to see a REAL site survey tool for this platform, like visiwave. That would be EPIC. I’d buy that in a heartbeat.
  • A good ‘dual pane’ (like email) google reader app
  • Need to see if I can turn it into a remote display for my mac or another computer.

More to come as I learn!

Tags: , , , , , , , , , , , , ,
Posted in insight, review, technology | 6 Comments »

Android Phone = rogue access point!

Thursday, July 22nd, 2010

So when I get a new phone, I immediately want to try to get as much access on it as possible (read: root it). Custom roms are wonderful, but in the case of the HTC Incredible I don’t think there are custom roms (yet).

After I rooted my HTC Incredible I started doing searches in the market for interesting things. I found some neat wireless utilities, I found a file manager that lets you browse SMB fileshares on the lan (NEAT.), I found a packetsniffer, and some more interesting tools.

The light came on over my head when I realized “Wait, a packet sniffer AND a wireless access point? .. can .. I sniff.. the wifi with this?!”. As it turns out the answer is yes – it takes some fenagling, and if you do it in the wrong order one application stomps the other (I’ve already written the author of the packet capture application about this but have not gotten a response yet).

Here is a quick walkthrough on how to turn an HTC Incredible into a rogue wireless access point:

  1. Root the phone. This can be done by visiting http://unrevoked.com/recovery/, downloading the app, and running it.
  2. Once the phone is rooted, go to the market, and install the wifi tether application: Be aware though, that with the HTC incredible there are additional steps to get this application to work (see their wiki page: http://code.google.com/p/android-wifi-tether/)

  3. Install the packet capture application. This also will need additional steps after the installation. (http://sites.google.com/site/androidarts/packet-sniffer)
  4. Once you have the packet sniffer installed, configure it to log to a file instead of a sql database. I wasn’t able to find the actual database this thing logs to, but the text file appears right at the root of the sdcard. It looks just like the ‘live’ output though, which I don’t think is a proper format. It doesn’t log raw traffic at all.
  5. Don’t start the sniffer or wifi tether yet – they must be configured beforehand.
  6. Go back to wifi-tether and configure the SSID. Name it something which will attract people in search of free wifi. Linksys. Dlink. Netgear. 2WIRE858. The SSID of a target network, perhaps. Again, do not turn on tethering here yet.
  7. Open up the packet sniffer again, and go to the ‘wifi capture’ section, then enable the capture, and if you’d like, enable logging packets to the screen.
  8. Hit the phones ‘home’ button to exit without stopping the packet capture tool, and re-open the wifi tethering tool. Once in the tethering tool, enable tethering.
  9. Hit home again, and go re open the packet capture tool. If anybody connects, wifi tether will tell you in the status bar at the top of the display, and you will start seeing arp traffic and dhcp traffic scroll in the live feed window as you would with any other packet sniffer.

There are several caveats to this though:

  1. This tool appears to not capture raw packets. You can do this from a terminal using TCPdump if you feel so inclined – the packet capture tool installation instructions have you install a new version of tcpdump. You should be able to use this to capture raw traffic and not just clear text
  2. Packet capture has to be running before wifi tether – if you try to do it the other way around wifi tether will hang and you’ll have to kill it.
  3. This will also capture all the traffic from your phone to the internet, so if you’re trying to do a bunch of stuff on your phone while running a rogue access point, it will  muddy your results.

This has been a fairly simple howto – you creative types will easily be able to find more interesting things to do with this.

My wishlist after figuring this out? – An app that acts like airodump – I want to see clients probing for networks so that I can “give them what they want”. I also want this packet capture tool to log raw data, not just plaintext stuff.  Now that this is possible, I wish for tools like drifnet, dsniff, and others of that sort to become available on the android platform. The objective here would be to use this during a pen test as a tool to capture data, then bring it back to the labs for analysis.

Tags: , , , , , , , , , , , , , , , , , , , , ,
Posted in insight, review, technology, training | No Comments »

How to steal Facebook Authentication cookies

Wednesday, June 16th, 2010

How to hack a facebook account – or, basically how to hijack php sessions. Yes – this is old news – yes its a common vulnerability – but you get a better idea for what it is and how it works when things are explained in detail (with screenshots!).

Before we begin, however, I want to re-emphasize that it is VERY EASY to protect yourself against this sort of attack. Facebook supports HTTPS, so when you browse facebook (or twitter for that matter) or if you have it bookmarked – please make sure you’re using HTTPS:// rather than HTTP:// in the URL at the very least, if not using a VPN solution for further encryption. Also, if the ‘victim’ logs out of facebook, the attackers session becomes invalid – so it’s a good practice to actually log out of facebook and log back in again rather than using the ‘remember me’ checkbox.

Facebook like many sites operates using authentication cookies. Their auth cookies contain a variety of information, but for our purposes this is irrelevant. Here is a sanitized cookie for reference:

Cookie: datr=1276721606-b7f94f977295759399293c5b0767618dc02111ede159a827030fc; lsd=Xesut; lxe=greg.evans%40****************; c_user=100001230367821; lo=wl9fcGXMhPfoT4bAhKFP3Q; lxs=1; sct=1276721745; xs=a615cfe596448194d6e2a8d062a90e4e

You can see the ‘lxe’ field is the login. We haven’t done any further research into what the various other fields mean, but using facebook without any kind of security you’re both leaking the email address used for your login and the session cookie.

First thing you’ll want to do is fire up your favorite packet capture application. For this example we’ve used Wireshark:

Next, set the filter in the top left to ” http.cookie contains “datr” “. This should show you only packets captured which contain the cookie we’re looking for. You can see that in this screenshot we’ve already captured a cookie.

Once you’ve found a suitable cookie, you can copy it into the buffer by right clicking on the cookie line, and clicking Copy -> Bytes (Printable Text Only)

Next you’ll want to open up firefox. You’ll need both greasemonkey and the cookieinjector script.

Simply browse to facebook – make sure you are not logged in:

Hit ALT-C to bring up the cookie injector dialog box:

Then paste in the cookie!

Hit refresh and – VIOLA! you’re now logged in as your victim! Now this doesn’t give you access to their credentials, this is about the equivalent to walking up to their workstation while they’re away from their desk and using facebook.

Neat huh? Pretty easy too. I smiled big when we demo’ed the attack in our lab – its old, sure, but being successful is always a good feeling!

P.S: This isnt REALLY Gregory Evans account. We setup this account because .. well.. the name was available! We thought it was in good taste as the No #1 hacker’s twitter feed got hacked the other day, his site is riddled with XSS exploits, and his book is copypasta from a variety of certification exam prep books. Thanks to Nick and mckt for the work and tootilage, respectively. No noobs were harmed in the making of this film.

Tags: , , , , , , , , , , , , , , , , ,
Posted in insight, review, technology | 31 Comments »

HTC Incredible: A hackers (Whitehat) perspective

Monday, May 10th, 2010

I just picked up one of these things. In the 3 days I’ve had it I’ve probably convinced 15 people to move to it from their iPhones, or jump to it as their next phone on verizon. Expect this to be more or less a hackers review.

htc incredible review, Dan Tentler

This is the charted battery usage over approximately 3 days. I learned very quickly that when you go to meetups and parties and pass around a brand new phone that very few people have everybody wants to try the same stuff on it over and over again – so the thing gets quite a workout and gets handed back to you with %20 battery left.

I’m using this app to monitor the battery and produce the data for the graph. So far it works out well – except when its not running it simply doesn’t record data, so the datapoints on the bottom of the chart make the graph look a little interesting. I’ve numbered some interesting behavior on the chart:

  1. I recorded the Lost Abbey brewery tour for ~25 minutes. It consumed approximately %25 of the battery life
  2. It took 3 hours and 45 minutes to charge from roughly %35 battery life to full.
  3. in 40 minutes of usage I went from %80 battery to roughly %35
  4. Leaving the phone overnight to cycle the battery
  5. Disregard – You can see at the bottom of the chart the time jumps from ~09oo hours to ~1800 hours in one step.
  6. I’d argue ‘standard’ daily usage
  7. a good solid charge via my macbook
  8. more standard usage

First impressions: This thing is *FAST*. I mean *FAST*. Clocked at 1ghz its very impressive. My G1 would chug and choke when opening the gallery as it tried to thumbnail all the pictures. I suspect the built-in 8 gig storage may have something to do with its I/O performance as I’m guessing the onboard flash is going to behave more quickly than an sdcard. One of the first things I love thinking about is ‘can this thing run nmap/metasploit/JtR/aircrack/etc’. As far as its ability to do that – I have every confidence that the thing could take the pepsi challenge should it arise – however I’ve almost immediately noticed I have to charge this thing 2x a day if I want to use it in any lengthy amount of time. I havent actually had it DIE on me yet, but it’ll get down to %20 or so battery before I start fiddling trying to find the charger.

Its fast, and very very capable. The camera beats the pants off the G1 camera hands down and this is a very appreciated breath of fresh air after having my G1. Only drawback is that it really does consume a lot of juice. I read in the forums that some users have been able to use batteries from other phones in the incredible successfully and extend their battery lives that way.

Interested in hacking the thing? We still don’t have root on it. What does having root mean? Tethering, overclocking, the possibility of all the wonderful linux-based tools we’re used to (nmap, metasploit, etc) and more.

Here are the forums if you want to throw your hat in the ring to get root and help the community expand the functionality of this phone.

Tags: , , , , , , , ,
Posted in insight, review, technology | No Comments »

foursquare sending passwords in the clear

Monday, February 1st, 2010

In this case, I’ll be arguing:

The easier it gets to write code(scripting, really), the sloppier it gets and the more insecure it gets.

We can see this because of the prevalence of sql injection, cross site scripting and error handling in the ever expanding catalog of new sites appearing on the internet.

I cite this from personal experience. As of late people seem to care more and more for ‘how pretty it is’ and less about what actually happens behind the scenes.  I’m reminded of the 90s when video games were stuck in 256 color 320×240, with bleeps and bloops for sound – if you didn’t have a good story people wouldn’t buy your game. Now things are different. All people seem to care about are the graphics, and the story, music, and gameplay is all phoned-in.

These days I see new tools and applications online that in most cases make me shudder. A friend of mine, @quine noticed something – the android foursquare application communicates unencrypted, using apache’s ‘basic’ authentication.

(more…)

Tags: , , , , , , , , , , ,
Posted in insight, review, technology, training | 1 Comment »

Twitter, DNS, the “Iranian cyber army” and panic – an analysis

Friday, December 18th, 2009

Status.twitter.com tells us that DNS records were overwritten temporarily tonight by attackers to redirect HTTP traffic to another host that was originally destined for twitter.com.

With the information that I know now (12:40am, 12/18):

The host which contained the landing page was hosted with bluehost. This tells us a few things

  • They didn’t have the infrastructure to do packet captures, or credential theft. Bluehost does shared hosting.
  • Any attempt to do so would have thrown TONS of SSL errors, and very likely DDoS’ed the server hosting the landing page. (Twitter had HUNDREDS of servers, these guys had 1.). All of your twitter apps would have thrown errors, or flat out stopped working.
  • Twitters security infrastructure was left untouched, and was not a target of the attack.

I’ve been watching twitter scroll with sensationalism and panic, people yelling “OH GOD TWITTER GOT HACKED EVERYONE CHANGE YOUR PASSWORDS NOW”.

Please – don’t do that.

Its going to make everyones job harder who have to work on this situation, it incites panic and causes people to prematurely flip out and do things they probably shouldn’t do.

I’ve had to deal with this in the past – people throwing their arms in the air and screaming about passwords being compromised when they in fact weren’t. It did not end well.

Please – think before you hit send.

Tags: , , , , , , , , , , , ,
Posted in insight, rants, technology | 3 Comments »

« Older Entries