bad

Arrested for directory truncation

From Sol Terra’s [IP] Use the Dots, Go to Jail – that’s the law (Interesting People: 24 October 2005):

Today, Daniel Cuthbert was found guilty.

Daniel Cuthbert saw the devastating images of the Tsunami disaster and decided to donate £30 via the website that was hastily set up to be able to process payments. He is a computer security consultant, regarded in his field as an expert and respected by colleagues and employers alike. He entered his full personal details (home address, number, name and full card details). He did not receive confirmation of payment or a reference and became concerned as he has had issues with fraud on his card on a previous occasion. He then did a couple of very basic penetration tests. If they resulted in the site being insecure as he suspected, he would have contacted the authorities, as he had nothing to gain from doing this for fun and keeping the fact to himself that he suspected the site to be a phishing site and all this money pledged was going to some South American somewhere in South America.

The first test he used was the (dot dot slash, 3 times) ../../../ sequence. The ../ command is called a Directory Traversal which allows you to move up the hierarchy of a file. The triple sequence amounts to a DTA (Directory Traversal Attack), allows you to move three times. It is not a complete attack as that would require a further command, it was merely a light =knock on the door˜. The other test, which constituted an apostrophe( ‘ ) was also used. He was then satisfied that the site was safe as his received no error messages in response to his query, then went about his work duties. There were no warnings or dialogue boxes showing that he had accessed an unauthorised area.

20 days later he was arrested at his place of work and had his house searched. In the first part of his interview, he did not readily acknowledge his actions, but in the second half of the interview, he did. He was a little distraught and confused upon arrest, as anyone would be in that situation and did not ask for a solicitor, as he maintained he did nothing wrong. His tests were done in a 2 minute timeframe, then forgotten about.

Arrested for directory truncation Read More »

An overview of Flash Worms

From Stuart Staniford, Gary Grim, & Roelof Jonkman’s “Flash Worms: Thirty Seconds to Infect the Internet” (Silicon Defense: 16 August 2001):

In a recent very ingenious analysis, Nick Weaver at UC Berkeley proposed the possibility of a Warhol Worm that could spread across the Internet and infect all vulnerable servers in less than 15 minutes (much faster than the hours or days seen in Worm infections to date, such as Code Red).

In this note, we observe that there is a variant of the Warhol strategy that could plausibly be used and that could result in all vulnerable servers on the Internet being infected in less than thirty seconds (possibly significantly less). We refer to this as a Flash Worm, or flash infection. …

For the well funded three-letter agency with an OC12 connection to the Internet, we believe a scan of the entire Internet address space can be conducted in a little less than two hours (we estimate about 750,000 syn packets per second can be fit down the 622Mbps of an OC12, allowing for ATM/AAL framing of the 40 byte TCP segments. The return traffic will be smaller in size than the outbound. Faster links could scan even faster. …

Given that an attacker has the determination and foresight to assemble a list of all or most Internet connected addresses with the relevant service open, a worm can spread most efficiently by simply attacking addresses on that list. There are about 12 million web servers on the Internet (according to Netcraft), so the size of that particular address list would be 48MB, uncompressed. …

In conclusion, we argue that a small worm that begins with a list including all likely vulnerable addresses, and that has initial knowledge of some vulnerable sites with high-bandwidth links, can infect almost all vulnerable servers on the Internet in less than thirty seconds.

An overview of Flash Worms Read More »

Kids forcibly sent to re-education programs

From Nadya Labi’s “Want Your Kid to Disappear?” (Legal Affairs: July/August 2004):

RICK STRAWN IS AN EX-COP WHO STARTED HIS COMPANY in 1988 to help police officers find off-duty work guarding construction sites. Ten years later, he was asked by a member of his United Methodist church to transport the churchgoer’s son to Tranquility Bay in Jamaica. The school is run by the World Wide Association of Specialty Programs, a company headquartered in Utah that owns eight schools in the United States and abroad, including Louis, Jr.’s destination. …

Three years ago, Strawn escorted Valerie Ann Heron, a 17-year-old from Montgomery, Ala., to Tranquility Bay. The school is the most hardcore in the WWASP system, the one to which students are sent when they repeatedly cause trouble at other schools. …

The world according to Strawn is based on choices and consequences. The world according to WWASP is designed to reinforce the same principle. Students enter Casa by the Sea at the first of six levels. To advance, they have to earn points through good behavior and schoolwork. Until they reach level three, which takes an average of three months, they can communicate with the outside world only through letters to their parents, which the school monitors. After that, they can talk on the phone to their parents but no one else.

Casa costs nearly $30,000 for a year – as much as a year’s tuition at Harvard – but offers no traditional academic instruction. Instead the schoolwork is self-paced; the students sit at tables with a workbook and take a test on a section when they decide they’re ready. They can retake the same test as many times as necessary to achieve an 80 percent passing grade. According to the Casa parent handbook, the school does not ensure that “the student will even receive any credits” or that the teachers who monitor the study sessions will have U.S. credentials. The school does not track how many of its students go on to high school or college. “You’re not going to have a teacher riding your back,” Dalton told Louis. “It’s all independent study. I just read the module, and did the test. I finished class in a week. That’s how easy it is.”

Students spend more time studying themselves than any other subject. They write daily reflections in response to self-help tapes and videos such as Tony Robbins’s Personal Power, You Can Choose, and Price Tag of Sex. They answer questions like “What feelings/emotions did I experience today and how did I choose to respond?”

Students also attend, and eventually staff, self-help seminars. The entry-level seminar, called Discovery, encourages participants to “learn to interrupt unconscious mental and emotional cycles which tend to sabotage results.” Kelly Lauritsen participated in Discovery at Casa in 2000 and said she was encouraged to hit the walls with rolled towels to release her anger. The price of tuition includes versions of these seminars for parents. Like Oprah on speed, sessions run nonstop from morning until midnight. Many parents and kids say they benefit from the self-analysis. “I didn’t realize that I had so much anger inside,” the 14-year-old girl whom Strawn transported in November wrote to her mother. …

Strawn told Louis that the hardest thing about Casa would be abiding by the school’s intricate system of discipline. “It’s not the big rules that get you. It’s all the little rules,” Strawn said. Casa docks students, according to its handbook, for telling “war stories” about inappropriate experiences, for being unkind to each other, and for making “negative statements about the School, the staff, the country, or other students.”

“There’s a whole page of rules,” said Shannon Eierman, who attended Casa last year. “That page is divided into sections of categories, into different codes, and a million subcategories. You could be there forever and the next day and learn a new rule.”

Students at Casa who commit “Category 5 infractions” can be punished with an “intervention,” for example, which is defined as being left alone in a room. Students say that the punishment can last for weeks, though Casa insists that the maximum penalty is three days. “I had to sit with crossed legs in a closet for three days,” said Kaori Gutierrez, who left Casa in 2001. Interventions may be used to punish out-of-control behavior, drug use, and escape attempts. But they’re also the way the school handles “self-inflicted injuries,” which can range from cracked knuckles to self-mutilation with pens or paper clips to an attempted suicide.

At the root of this long list of punishable violations is “manipulation,” which includes lying or exaggerating. Strawn repeatedly uses the word to dismiss a kid’s behavior – it’s the way he said Valerie Heron acted the day before her suicide. In the WWASP universe that he inhabits, manipulation is a term of art that refers to just about anything a teen does or says that the staff doesn’t like.

Kids forcibly sent to re-education programs Read More »

Windows Metafile vulnerability

From Noam Eppel’s “Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security“:

On Dec. 27, 2005 a Windows Metafile (.WMF) flaw was discovered affecting fully patched versions of XP and Windows 2003 Web Server. Simply by viewing an image on a web site or in an email or sent via instant messenger, code can be injected and run on the target computer. The vulnerability was in the Windows Graphics Rendering Engine which handles WMF files, so all programs such as Internet Explorer, Outlook and Windows Picture and Fax viewer which process this type of file were affected.

Within hours, hundred of sites start to take advantage of the vulnerability to distribute malware. Four days later, the first Internet messenger worm exploiting the .wmf vulnerability was found. Six days later, Panda Software discovers WMFMaker, an easy-to-use tool which allows anyone to easily create a malicious WMF file which exploits the vulnerability.

While it took mere hours for cybercriminals to take advantage of the vulnerability, it took Microsoft nine days to release an out-of-cycle patch to fix the vulnerability. For nine entire days the general public was left with no valid defenses.

The WMF Flaw was a security nightmare and a cybercriminal dream.It was a vulnerability which (a) affected the large majority of Windows computers (b) was easy to exploit as the victim simply had to view an image contained on a web site or in an email, and (c) was a true zero-day with no patch available for nine days. During those nine days, the majority of the general population had no idea how vulnerable they were.

Windows Metafile vulnerability Read More »

Even worse spam is coming

From Spam Daily News’s “Spam zombies from outer space“:

Spammers could soon use zombie computers in a totally new way. Infected computers could run programs that spy into a person’s email, mine it for information, and generate realistic-looking replies.

John Aycock, an assistant professor of computer science at the University of Calgary, and his student Nathan Friess conducted new research that shows it is possible to create a new type of spam that would likely bypass even the best spam filters and trick experienced computer users who would normally delete suspicious email messages.

There are two key reasons why spam is suspicious to anti-spam filters and human targets alike. First, it often comes from an unrecognized source. Second, it doesn’t look right.

The evolution of spam zombies will change this. These new zombies will mine corpora of email they find on infected machines, using this data to automatically forge and send improved, convincing spam to others.

The next generation of spam could be sent from your friends’ and colleagues’ email addresses – and even mimic patterns that mark their messages as their own (such as common abbreviations, misspellings, capitalization, and personal signatures) – making you more likely to click on a Web link or open an attachment.

What features can be easily extracted from an email corpus? There are four categories:

1. Email addresses. The victim’s email address and any other email aliases they have can be extracted, as can the email addresses of people with whom the victim corresponds.

2. Information related to the victim’s email program and its configuration. For example, the User-Agent, the message encoding as text and/or HTML, automatically-appended signature file, the quoting style used for replies and forwarded messages, etc.

3. Vocabulary. The normal vocabulary used by the victim and the people with whom they correspond.

4. Email style.

  • Line length, as some people never break lines;
  • Capitalization, or lack thereof;
  • Manually-added signatures, often the victim’s name;
  • Abbreviations, e.g., “u” for “you”;
  • Misspellings and typos;
  • Inappropriate synonyms, e.g., “there” instead of “their”;
  • Replying above or below quoted text in replies.

Even worse spam is coming Read More »

The Flash Worm, AKA the Warhol Worm

From Noam Eppel’s “Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security“:

In 2001, the infamous Code Red Worm was infecting a remarkable 2,000 new hosts each minute. Nick Weaver at UC Berkeley proposed the possibility of a “Flash Worm” which could spread across the Internet and infect all vulnerable servers in less than 15 minutes. A well engineered flash worm could spread worldwide in a matter of seconds.

The Flash Worm, AKA the Warhol Worm Read More »

The 1st software patent

From Robert X. Cringely’s “Patently Absurd: Why Simply Making Spam Illegal Won’t Work“:

Software patents have become inordinately important for something that 25 years ago we didn’t even believe could exist. After several software patent cases had gone unsuccessfully as far as the U.S. Supreme Court, the general thinking when I got in this business was that software could not be patented, only copyrighted. Like the words of a book, the individual characters of code could be protected by a copyright, and even the specific commands could be protected, but what couldn’t be protected by a copyright was the literal function performed by the program. There is no way that a copyright could protect the idea of a spreadsheet. Protecting the idea would have required a patent.

Then on May 26, 1981, after seven years of legal struggle, S. Pal Asija, a programmer and patent lawyer, received the first software patent for SwiftAnswer, a data retrieval program that was never heard from again and whose only historical function was to prove that all of the experts were wrong — software could be patented. Asija showed that when the Supreme Court had ruled against previous software patent efforts, it wasn’t saying that software was unpatentable, but that those particular programs weren’t patentable.

The 1st software patent Read More »

The difficulty of recovering from identity theft

From TechWeb News’s “One In Four Identity-Theft Victims Never Fully Recover“:

Making things right after a stolen identity can take months and cost thousands, a survey of identity theft victims released Tuesday said. Worse, in more than one in four cases, victims haven’t been able to completely restore their good name.

The survey, conducted by Nationwide Mutual Insurance Co., found that 28 percent of identity thieves’ marks aren’t able to reconstruct their identities even after more than a year of work. On average, victims spent 81 hours trying to resolve their case.

According to the poll, the average amount of total charges made using a victim’s identity was $3,968. Fortunately, most were not held responsible for the fraudulent charges; 16 percent, however, reported that they had to pay for some or all of the bogus purchases.

Other results posted by the survey were just as dispiriting. More than half of the victims discovered the theft on their own by noticing unusual charges on credit cards or depleted bank accounts, but that took time: on average, five and a half months passed between when the theft occurred and when it was spotted.

Only 17 percent were notified by a creditor or financial institution of suspicious activity, a figure that’s certain to fuel federal lawmakers pondering legislation that would require public disclosure of large data breaches.

The difficulty of recovering from identity theft Read More »

Paul Graham on software patents

From Paul Graham’s “Are Software Patents Evil?“:

The situation with patents is similar. Business is a kind of ritualized warfare. Indeed, it evolved from actual warfare: most early traders switched on the fly from merchants to pirates depending on how strong you seemed. In business there are certain rules describing how companies may and may not compete with one another, and someone deciding that they’re going to play by their own rules is missing the point. Saying “I’m not going to apply for patents just because everyone else does” is not like saying “I’m not going to lie just because everyone else does.” It’s more like saying “I’m not going to use TCP/IP just because everyone else does.” Oh yes you are.

A closer comparison might be someone seeing a hockey game for the first time, realizing with shock that the players were deliberately bumping into one another, and deciding that one would on no account be so rude when playing hockey oneself.

Hockey allows checking. It’s part of the game. If your team refuses to do it, you simply lose. So it is in business. Under the present rules, patents are part of the game. …

When you read of big companies filing patent suits against smaller ones, it’s usually a big company on the way down, grasping at straws. For example, Unisys’s attempts to enforce their patent on LZW compression. When you see a big company threatening patent suits, sell. When a company starts fighting over IP, it’s a sign they’ve lost the real battle, for users.

A company that sues competitors for patent infringement is like a defender who has been beaten so thoroughly that he turns to plead with the referee. You don’t do that if you can still reach the ball, even if you genuinely believe you’ve been fouled. So a company threatening patent suits is a company in trouble. …

In other words, no one will sue you for patent infringement till you have money, and once you have money, people will sue you whether they have grounds to or not. So I advise fatalism. Don’t waste your time worrying about patent infringement. You’re probably violating a patent every time you tie your shoelaces. At the start, at least, just worry about making something great and getting lots of users. If you grow to the point where anyone considers you worth attacking, you’re doing well.

We do advise the companies we fund to apply for patents, but not so they can sue competitors. Successful startups either get bought or grow into big companies. If a startup wants to grow into a big company, they should apply for patents to build up the patent portfolio they’ll need to maintain an armed truce with other big companies. If they want to get bought, they should apply for patents because patents are part of the mating dance with acquirers. …

Patent trolls are companies consisting mainly of lawyers whose whole business is to accumulate patents and threaten to sue companies who actually make things. Patent trolls, it seems safe to say, are evil. I feel a bit stupid saying that, because when you’re saying something that Richard Stallman and Bill Gates would both agree with, you must be perilously close to tautologies.

Paul Graham on software patents Read More »

Better in command of the enemy than a prisoner

From “Fort Henry and Fort Donelson“:

Shortly after the surrender of Fort Sumter, Confederates built two forts just south of the border of Tennessee and Kentucky. … Fort Henry guarded the Tennessee River while Fort Donelson guarded the Cumberland. … The key to rolling up the Confederate defense of the Mississippi River was the capture of Fort Henry and Donelson. That job fell to General Ulysses S. Grant and Commodore Andrew Foote. …

Fort Henry was easy prey for the Union gunboats … When Fort Henry surrendered, Grant turned his attention to Fort Donalson. … Inside Fort Donelson, General John Floyd commanded, with Gideon Pillow and Simon Bolivar Buckner under him. …

Gideon Pillow launched an assault against the Union right (McClernand), demolished 5 brigades in the federal line, forcing them into full retreat and grabbed a road that led to Nashville. Pillow had a number of good choices he could have made: turn left or right to battle the exposed flanks of Grant’s army, or use the road he had captured to evacuate to Nashville. Pillow, generally regarded as the worst general on either side during the Civil War, decided to withdraw back into the fort because his men seemed exhausted.

… That evening, Floyd, Pillow and Buckner considered surrender. Buckner, lowest ranking of the three generals, was the one left to do the task. Buckner and Pillow slipped out by boat and Nathan Bedford Forrest, his cavalry and a few foot soldiers found a partially flooded land route out minutes before it was closed off by Union infantry.

According to General Grant’s memoirs, one of Grant’s first questions to Buckner was: “Where is Pillow? Why didn’t he stay to surrender his command?”

Buckner: “He thought you were too anxious to capture him personally.”

Grant: “Why if I had captured him I would have turned him loose. I would rather have him in command of you fellows than as a prisoner.”

Better in command of the enemy than a prisoner Read More »

Zombie ships adrift off the shore of Africa

From “Happiness: The Chinese zombie ships of West Africa“:

We’re in the big African Queen inflatable, cruising alongside an anchored trawler. It’s more rust than metal – the ship is rotting away. The foredeck is covered in broken machinery. The fish deck is littered with frayed cables, and the mast lies horizontally, hanging over the starboard side. A large rusty Chinese character hangs on railings above the bridge, facing forward. It reads ‘happiness’. …

Moff turns the boat, taking us to another of the rusting fishing vessels, 70 nautical miles (130km) off the coast of Guinea, West Africa. We had been told this was where old pirate fishing boats were left at anchor, abandoned. We didn’t expect to find living people on board the dying ships. …

We head away, going with the current, which was purple and green with the dregs of spilled fuel. Throughout the afternoon, I keep noticing just how dirty the water is, with oil and fragments of plastic.

We arrive at Long way 08, which is in line for refuelling. This trawler is in a poor state, with the hull covered in masses of good-sized shellfish.

Four young Chinese crewman meet us with smiles and welcomes. They tell us that some of them have been on board for 2 years, non-stop. The trawler itself has been out here for eight years, and would probably be kept going for another six or so, or as long it lasted.

Here’s the thing – these ships seldom, or ever, visit a port. They’re re-supplied, refuelled, re-crewed and transhipped (unloaded) at sea. The owners and crews don’t seem to do any basic maintenance, apart from keeping the engine and winches running. There’s no glass in the portholes, and the masts are a mess of useless wiring. These floating deathtraps don’t carry any proper safety gear – on one boat, I saw the half-barrel case of an inflatable liferaft being used to store a net. …

We move to the second ship, where again, a bunch of friendly young guys have been sitting at anchor for two months, waiting technical help and a new crew. Their engine doesn’t work, and they no safety gear or radio. They can, however, run their watermaker, for desalinating seawater. Lines of drying fish hang over the deck, but they’re running out of other food, and are often forced to signal other fishing boats for help. Like everyone else, their future is uncertain. …

… we talk to the chirpy Guinean fisheries observer on their vessel. He’s very chatty, and tells us what is going on – that the other trawler was basically being dumped here. He says that the Chinese boats were in poor shape generally, and that last year, one had sunk, taking 14 crew with it. What are conditions like on this boat? He shrugs: “Not good. But I have to have a job.” …

Later, as we drop some supplies to the engine-less trawler, we see one of the crew hauling himself along on a rope, while standing on a small raft. It’s bizarre sight, but this is how they get between the two decrepit vessels. …

Earlier in the day – before the graveyard of zombie trawlers, fisheries inspectors had told us of where the fish actually goes. Caught by the Chinese and other trawlers, it’s transhipped to several different vessels. ‘High value’ stock goes to Las Palmas, in the Canaries and off to the dinner tables of Europe. The ‘dirt’ fish is transhipped to Africa. The Chinese fishermen, it seems, barely get a look in. ‘Happiness’ indeed.

Zombie ships adrift off the shore of Africa Read More »

Shoehorning drivers licenses

From Bruce Schneier’s “REAL ID” in Crypto-Gram (15 May 2005):

REAL ID also prohibits states from issuing driver’s licenses to illegal aliens. This makes no sense, and will only result in these illegal aliens driving without licenses — which isn’t going to help anyone’s security. (This is an interesting insecurity, and is a direct result of trying to take a document that is a specific permission to drive an automobile, and turning it into a general identification device.)

Shoehorning drivers licenses Read More »

Another awful poet

Scotland’s worst poet, William Topaz McGonagall: From “The Tay Bridge Disaster”:

Beautiful Railway Bridge of the Silv’ry Tay!
Alas! I am very sorry to say
That ninety lives have been taken away
On the last Sabbath day of 1879,
Which will be remember’d for a very long time. …

Or here’s a few lines from “Glasgow”:

And as for the statue of Sir Walter Scott that stands in George Square,
It is a handsome statue — few with it can compare,
And most elegant to be seen,
And close beside it stands the statue of Her Majesty the Queen. …

Read more at a site dedicated to William McGonagall, or just search Google. [William McGonagall]

Another awful poet Read More »

Crack Windows passwords in seconds

This is an oldie but still a goodie – or a baddie, if you use or depend on Windows. Back in 2003, researchers released tools that enable the cracking of Windows passwords in an average of 13.6 seconds. Not bad, not bad at all. CNET has a nice writeup titled Cracking Windows passwords in seconds, which explains that the best way to guard against the attack is to create passwords that use more than just alphanumeric items. In other words, read my SecurityFocus column from May 2004, Pass the Chocolate, which contains this advice: “… you should use a mix of at least three of these four things: small letters, capital letters, numbers, and symbols. If you can use all four, great, but at least use three of them.”

If you want to download and test the security of your Windows passwords, you can grab the software at Ophcrack. You can get source, as well as binaries for Windows and Linux. There’s even an online demo of the software, in which you can paste a hash of the password you’d like to crack and get back the actual password. Nice!

Crack Windows passwords in seconds Read More »