Cupfighter.net

Yesterday, I spent some of the hours that I was stuck in a metal tube above the Atlantic Ocean to pull together my schedule for BlackHat and Defcon coming Wednesday to Sunday. The schedule I pulled together combined with my plans to do (semi) life blogging from the conference for Cupfighter.net is actually quite mad so I fully expect to have to skip some of the activities listed below.

Wednesday 29 July 2009 (BlackHat)

• Introduction to BlackHat 2009 by Jeff Moss
• Keynote by Douglas C. Merrill
• Router Eploitation by Felix “FX” Linder
• Rapid Enterprise Triaging by Aaron LeMasters & Michael Murphy
• More tricks for defeating SSL by Moxie Marlinspike
• Economics and the Underground Economy by Gormac Herley or
• The Language of Trust: Exploiting Trust Relationships in Active Content by Mark Dowd, Ryan Smith and David Dewey (preview)
• Internet Special Ops by Andrew Fried, Paul Vixie and Christopher Lee
• Gala reception with the talk “Me to We” by Johnny Long and the Pwnie Awards

Thursday 30 July 2009 (BlackHat)

• Keynote by Robert Lentz
• Cloud Computing Models and Vulnerabilities – Raining on the Trendy New Parade by Alex Stamos, Andrew Becherer & Nathen Willcox
• SADE: Injecting agents into VM Guest OS by Matt Conover
• Clobbering the Cloud! by Haroon Meer, Nick Arvanitis and Marco Slaviero
• Breaking the Security Myths of Extended Validation SSL Certificates by Alexander Sotirov and Mike Zusman
• Cloudburst – Hacking 3D and Breaking out of VMWare by Kostya Krichinsky
• Reconceptualizing Security by Bruce Schneier
• Toxic BBQ together with Chris John Riley

Friday 31 July 2009 (Defcon)

• Beckstrom’s Law – A Model for Valuing Networks and Security by Rod Beckstrom
• Asymettric Defense: How to Fight Off the NSA Red Team with Five People or Less by Efstratios L. Gavas
• Q&A with Bruce Schneier
• More tricks for Defeating SSL by Moxie Marlinspike
• Cloud Security in Map Reduce by Jason Schlesinger
• Socially 0wnded in the Cloud by Digividual
• Defcon Security Jam 2: The Fails Keep on Coming by David Mortman et al
• Stealing Profits from Stock Market Spammers or: How I learned to Stop Worrying and Love the Spam by Grant Jordan
• Malware Freakshowby Nicolas J. Percoco and Jibran Ilyas
• Criminal Charges are not Pursued: Hacking PKI by Mike Zusman
• Something about Network Security by Dan Kaminsky
• 10,000 cent Hacker Pyramid
• Hacker Karaoke or Hacker Jeopardy

Saturday 1 August 2009 (Defcon)

• Breaking the “Unbraekable” Oracle with Metasploit by Chris Gates and Mario Ceballos
• CSRF: Yeah, It Still Works by Mike “mckt” Bailey and Russ McRee
• RFID MysthBusting by Chris Paget
• Failure by Adam Savage
• The Projects of “Prototype This!” by Joe “Kingpin” Grand, Zoz
• Hijacking Web 2.0 Sites with SSLstrip – Hands-on Training by Sam Bowne
• Metasploit Track

Sunday 2 August 2009 (Defcon)

• Down the Rabbit Hole: Uncovering a Criminal Serverby Iftach Ian Amit
• Invisible Access: Electronic Access Control, Audit Trails and “High Security” by Marc Weber Tobias, Matt Fiddler and Tobias Bluzmanis
• Unmasking You by Jushua “Jabra” Abraham and Robert “RSnake” Hansen
• Cracking the Poor and the Richt: Discovering the Relationship Between Pysical and Network Security by Damian Finol
• AAPL – Automated Analog Telphone Logging by Da Beave
• Slight of Mind: Magic and Social Engineering by Mike Murray and Tyler Reguly
• USB Attacks: Plug & 0wn by Rafael Dominguez Vega
• Cracking 400,000 Passwords or: How to Explain to Your Roommate why the Power Bill is a Little High by Matt Weir and Sudhir Aggarwall
• Award Ceremonies hosted by Dark Tangent

As reported here: http://www.goodgearguide.com.au/article/312438/security_certificate_warnings_don_t_work_researchers_say

“In a laboratory experiment, researchers found that between 55 percent and 100 percent of participants ignored certificate security warnings, depending on which browser they were using (different browsers use different language to warn their users).

“Everyone knew that there was a problem with these warnings,” said Joshua Sunshine, a Carnegie Mellon graduate student and one of the paper’s co-authors. “Our study showed dramatically how big the problem was.” …

The researchers first conducted an online survey of more than 400 Web surfers, to learn what they thought about certificate warnings. They then brought 100 people into a lab and studied how they surf the Web.

They found that people often had a mixed-up understanding of certificate warnings. For example, many thought they could ignore the messages when visiting a site they trust, but that they should be more wary at less-trustworthy sites.

“That’s sort of a backwards understanding of what these messages mean,” Sunshine said. “The message is validating that you’re visiting the site you think you’re visiting, not that the site is trustworthy.”

My collegue Otto Jongerius pointed me to this interesting story from the Internet Storm Center.

Source code for a exploit of a Linux kernel vulnerability has been posted by Brad Spengler (Brad is the author of grsecurity). I have to tell you right now – this was one of the most fascinating bugs I’ve read about lately.

Why is it so fascinating? Because a source code audit of the vulnerable code would never find this vulnerability (well, actually, it is possible but I assure you that almost everyone would miss it). However, when you add some other variables into the game, the whole landscape changes.

While technical details about this are a bit complex, generally what’s happening can be easily explained. The vulnerable code is located in the net/tun implementation. Basically, what happens here is that the developer initialized a variable (sk in the code snippet below) to a certain value that can be NULL. The developer correctly checked the value of this new variable couple of lines later and, if it is 0 (NULL), he just returns back an error. The code looks like this:

struct sock *sk = tun->sk;  // initialize sk with tun->sk
…
if (!tun)
return POLLERR;  // if tun is NULL return error

This code looks perfectly ok, right? Well, it is, until the compiler takes this into its hands. While optimizing the code, the compiler will see that the variable has already been assigned and will actually remove the if block (the check if tun is NULL) completely from the resulting compiled code. In other words, the compiler will introduce the vulnerability to the binary code, which didn’t exist in the source code. This will cause the kernel to try to read/write data from 0×00000000, which the attacker can map to userland – and this finally pwns the box. There are some other highly technical details here so you can check your favorite mailing list for details. Here is a video of the exploit:

Brad was able to even bypass SELinux protections with this and LSM.

The fix for this is relatively easy, the check has to be done before assigning the value to the sk structure.
Fascinating research that again shows how security depends on every layer, and how even very expensive source code audit can result in missed vulnerabilities.

I recently got my invitation to sign up for Google Voice (previously known as Grand Central) but was confronted with a couple of challenges. The first one being that the service is not offered outside the US yet. Since I’ve been living abroad for the last few years, I’ve gotten used to finding myself on the wrong side of the “geo-fence” that sites put up, using your IP address to determine whether you might be in the US or not. So to begin the process of responding to the invitation email, I needed to proxy my web browser traffic thru a server in the US (there are scores of anonymizing proxies and plain-old-vanilla proxies, but I’m lucky to have friends with computers with reasonably low latency ping times). Once that was done, I began the 4 step process of registering a phone number so that I could get on with finding out what GV can do.

So many choices for phone numbers, but fortunately they came up with an interesting combination of methods to choose an available number. You can search by zip or area code of course, and you can also search by text string. What better way to make your Google Voice phone number easy to remember or say to someone than to look for your favorite phrase or handle/call-name. Since physical location does not matter so much these days, why not pick a phone number that hails from “Pocahontas, Mississippi?”

The next challenge was a bit tougher, the service needs at least one phone number to ring you on when you get a call to your GV number. That number has to be a US number (due to the way calls are charged in the US versus Europe. [I found an interesting discussion about this and how it impacts the possibility of deploying GV in Europe.

With some blind optimism, I entered my US efax/j2 number, hoping that when they called it to request the two digit verification code currently displayed on my browser, they might provide an alternative method for me to verify that I own/use the phone number in question in their voicemail message. Nope.

So my options at this point were to either setup a Skype-in number for something like 15 euros for 3 months so that I could answer the automated GV phonecall, or ring a friend in the US, give his number and send him the verification code so that I could finish the registration process. You will correctly guess that I opted for the latter.

Finally I get to see the interface, check out the settings page, and read the little help buttons that explain exactly what the “do not disturb” checkbox does (this is something that I need to use of course, so that my friend does not get called each time I receive a call to my GV number). I have to say that there are only a few advantages to using Google Voice as an expat over simpler services like efax/j2. One of them, however, is pretty darn helpful. Voicemail transcripts. Although the technology still  has a ways to go before being 100% (most speech to text systems fail to get near 100% really, so who can blame them at this point), you certainly can get the gist of a message by reading the transcript. The transcribed words that the system is sure about are in black text, and the words which the system had doubts about are in a lighter shade of grey. And just like a karaoke machine, the highlighting of the message text in red underline as you listen to the audio voicemail message is kind of fun in it’s own right. What I’m not entirely sure about though is how or why the transcript engine/system decides that a transcript is not possible. The first GV voicemail message that I left for myself was marked “Transcript not available.”

Being the responsible beta user that I am, I immediately clicked on the feedback link to let them know of my question about the criteria under which a transcript might not be available. This took me to a nice little Google docs form for providing feedback. Ok, I’m game. A simple email form is not enough control over what folks put into the feedback, so I write up my question, I hit submit and get a cheeky little reply saying that an unexpected error occurred, they are rather embarassed about it of course, and that I can rest assured that geeks have been notified that the error took place. So much for my first interaction with the community of GV developers.

One more thing worth mentioning is the GV mobile application. Having a blackberry (or iPhone) means that I can (and did) download the GV mobile application, giving me the equivalent of visual voicemail for free on the service. This is nice. Of course if I want to listen to the voicemails, I need to download them first, but that is to be expected. The real time saving feature here is not necessarily being able to listen to my GV messages whereever I happen to be, but instead the sheer time saved by being able to see who the message is from and read the transcription in just a few seconds.

Oh and I suppose being able to send and receive SMS/text messages for free with my friends and family in the US is also a perk. They intend, I supposed, to eat some of Skype’s lunch in this kind of “messaging for free” model. I wonder if they plan to have an API exposed so that I can do this with a script? I admit that I’m not the real target audience subscriber for Google Voice, but I’m on board at the moment and am thinking that it has some nifty features (I didn’t even mention the widgets/gadgets that you can use where the person never knows what your GV number is… nice for security/anonymity).

Question: Anyone else trying to integrate GV into their point of presence without being in the US at the time?

Citrix recently released a webinar by Derek Thorslund on Citrix Flash HDX, check it out here: http://www.citrix.com/tv/#video/635

I was pretty impressed when trialling Flash HDX myselfs… seeing is believing The movies below are not mine, but linked from youtube.com. It’s worth trialling yourselfs, you won’t be disappointed.

Flash HDX Demo on XenApp

Flash HDX Demo on XenDesktop 3 (vs VMWare view 3)

Download the Technology preview of Citrix HDX Mediastream for Flash here.

Check comments below for a solution to this issue! Thanks to Daniel Verbruggen!

While testing the Aladdin eToken (USB form Factor Smart Card) with PKIClient 5.0 on windows 7, I discovered that the certificates are no longer published into the “Personal Certificate Store”.
Which makes the eToken quite useless for now on Windows 7. I can however logon to the Windows 7 system using the eToken. But for all other purposes like VPN, website authentication etc it cannot be used since Windows 7 does not offer you to pick an certificate to authenticate with.
The Smart Card device forwarding still works, over RDP and also within XP Mode on Windows 7.

I dropped Aladdin an email and asked them for timelines and Windows 7 support, but until now, nothing but silence. I will update this post when I know more. In the meanwhile if you’ve got a workaround… please drop a comment.

eToken and PKIClient 5.0 on Windows 7

eToken and PKIClient 5.0 on Windows 7 with XP-Mode.

Related issues:

Cisco VPN, Windows 7 and eToken
Website Authentication, Windows 7 and eToken

Interesting insights on the new Windows 7 UAC… (http://www.pretentiousname.com/misc/win7_uac_whitelist2.html)

From: http://www.pretentiousname.com/misc/win7_uac_whitelist2.html

List of binaries which are allowed “auto-elevation” :

http://www.withinwindows.com/2009/02/05/list-of-windows-7-beta-build-7000-auto-elevated-binaries/

VMware has released Labmanager for Vpshere 4. http://www.vmware.com/products/labmanager/

VMware vCenter Lab Manager is the ideal solution for IT organizations who want to provide self-service provisioning and management capabilities to internal teams. Policy-based access control reduces administrative burden for IT, lowers infrastructure management costs and empowers project teams to deliver applications more quickly and with greater agility.

Deliver Higher Service Levels and Lower Infrastructure Costs

Lab Manager offers unique capabilities to simplify management of the internal cloud for dev/test:

• Self Service Portal – Provides on-demand access to a library of virtual machine configurations for end users while eliminating time-consuming provisioning tasks for IT by 95%.
• Automated Resource Management – Allows dynamic allocation of resources in a multi-team environment, enforces quotas and access rights, and reclaims unused infrastructure services.

Enterprise Scalability – Provides long-term return on investment with a scalable architecture for worldwide deployment, best in class performance and seamless integrations with in-house and 3rd party solutions.

While checking the statistics of our blog I saw some referrals from http://community.citrix.com.
We are listed as a Citrix Community featured website! We are very happy to see this, especially because this blog is very young! The first posts are from June 2009.

We will try not to disapoint you. We have some very interesting projects comming-up which involve very mission critical XenApp and XenDesktop environments. We will post our hands-on experiences here! So stay tuned !

The current version of System Center Operations Manager 2007 doesn’t use version control for management packs. If you manage complex environments and use lot of custom monitoring, it would be nice to see when there is something changed and even better: easily fall back to your previous version in case an error slipped in. Another benefit of version control is you have exported management packs ready to import in other environments: i.e. between acceptance and production or between customers in case you are managing multiple customers like we do.

I’ve written some scripts to automatically export all your unsealed management packs if there is something changed, write a version number and email the new managementpack with a summary of all differences.

Another script will import your version controlled management packs (if there is something changed).

Scripts are updated on 12-11-2009

Read more…