Categories:
/ (30)
discoveries/ (1)
events/ (5)
humor/ (6)
paradigms/ (3)
rants/ (3)
Categories:
/ (30)
discoveries/ (1)
events/ (5)
humor/ (6)
paradigms/ (3)
rants/ (3)
Found in an ISO / IEEE 11073 Personal Health Data Work Group meeting presentation: "Managers ignore information they do not understand.", referring to one side of the communication interface the group works on. While arcane terminology and acronyms appear awkward at first, they do prevent embarrassing misunderstandings.
posted at: 15:10 by FX | path: /humor | permanent link to this entry
Due to popular demand, we created some T-Shirts with the cute little PortBunny. Check out shop.recurity-labs.com.
posted at: 17:56 by FX | path: /humor | permanent link to this entry
or why you don't need a fuzzer when you got web developers.
This is just one of these security related stories that are so funny, they must be shared. While working on site at a customer, the person maintaining the inline Snort IPS mentioned that he had to disable a rule due to complains from people. Apparently, the rule was preventing the CNN.com website to work correctly. For eye candy, here is the rule:
(msg:"WEB-CLIENT PCRE character class double free overflow attempt";
flow:to_client,established; content:"RegExp"; nocase; content:"[[";
content:"]"; distance:1;
pcre:"/(\w+)\s*=\s*('|")[^\2]*\[\[[^\2]*\][^\2]*\2\s*\;.*new\s+RegExp\s*\(\s*\1|new\s+RegExp\(('|")[^\3]*\[\[[^\3]*\]/smi";
reference:bugtraq,25002; reference:cve,2007-3944;
reference:url,docs.info.apple.com/article.html?artnum=306174;
classtype:attempted-user; sid:12286; rev:1;)
Since time and resources are precious, the rule got disabled and everyone was happy. I have to admit that I didn't really think anything of it, except that the rule might be somehow too broadly matching and therefore would eat legitimate JavaScript code. That is, until I surfed Fefe's blog a few days ago using my Nokia E70 phone and clicked on a link to CNN.com. After my phone tried to load the page for a while, the browser crashed. I remembered the episode with the Snort rule and also suddenly realized that my phone's browser is actually using the Apple WebKit, as does Safari.
I read up on the specific vulnerability ( http://www.securityevaluators.com/iphone/bh07.pdf) and went back to the CNN.com website, only to find that the included file main.js contains:
var htmlRegEx = new RegExp('[\w*|\W*]*<[[\w*|\W*]*|/[\w*|\W*]]>[ \w*|\W*]*');
This looks suspiciously like what is described on Charles Miller's slides mentioned above, namely: "A valid (though odd) pattern that looked like a POSIX character class but used an invalid character after [ (for example [[,abc,]]) caused pcre_compile() to give the error "Failed: internal error: code overflow" or in some cases to crash with a glibc free() error."
Although I didn't verify to all ends that this is what is crashing by phone's browser, I assume it is.
Dear Nokia, if I had wanted a vulnerable, DRM infested future malware platform in my pocket, I had bought an f***ing iPhone in the first place!
Thanks to K.S. for pointing out the Snort rule issue to me!
Update: People report that the iPhone works fine (now?) with CNN.com and I tested the iPod Touch myself (thanks iUte). So where is the Nokia update and security advisory?
posted at: 17:17 by FX | path: /humor | permanent link to this entry
I think it is safe to assume that every kid learns in school, or, to be more precise during the school breaks, that the more you brag, the better you should be able to defend yourself. What I find interesting is the fact that businesses tend to overlook this simple social rule from childhood. There have been examples of businesses intentionally or unintentionally bragging too much in the past. Think Oracle's "unbreakable" campaign, rewarded with a massive amount of reported security vulnerabilities.
Some may have seen the movie "The Devil Wears Prada". In one scene, the protagonist is ordered to obtain a copy of the latest Harry Potter book, which is not available in stores yet. This being a movie, she manages to get it. The script author referred to the hype created by the Harry Potter publishers Bloomsbury Publishing Plc. around every single release of the book.
I always wondered why the script of an upcoming Harry Potter is not obtained beforehand simply by breaking into the publisher's network. My guess was that the people with the required abilities and skills probably have better things to do. But of course, the stakes are higher with the (hopefully) last book in the series.
Today, a post on the Full Disclosure mailing list claims that a copy of the script for the upcoming book was successfully obtained and presents a spoiler with the ending of story, as it will be released in 32 days or so. The post mentions that the way to get it was to send an email with a link to a web page that contained some well-known exploit from milw0rm. The post mentions that it is surprising how many people in the company have the script somewhere on their computer. Game over.
A copy of the new Harry Potter: $34.99. The global value of the Harry Potter brand according to Forbes.com: $1.000.000.000. Getting the final marketing move p0wned: priceless.
It doesn't really matter if the Full Disclosure post is a fake or really contains the ending of the next book. If your content is as valuable as this script and your marketing campaign is about the fact that nobody knows about the ending, you should better prepare for someone raining onto your parade.
Now would be a good time to sit back and think about the value of your company's intellectual property assets and if you can be sure that nobody else knows about them. Start with the following, non-exhaustive list of checks:
Next time when your laptop is stolen and you fill into the forms an estimated monetary loss of more than $4000, it would be an indication that you did in fact think about the questions above.
posted at: 11:13 by FX | path: /humor | permanent link to this entry
A German proverb is: "Reden ist Silber, Schweigen ist Gold.", which could be translated as "Speaking is silver, silence is golden." It suggests that in most cases, keeping your mouth shut is a lot smarter than blubbering out whatever crosses your mind. Therefore, golden silence is a comparison (in the linguistic sense, as in augmentation) to speaking.
Now, if not speaking were the augmentation of speaking, what would be the antonym of such golden silence? What could be the worst case of mindless babble? The answer smiled at me today from an exhibition advertisement (as in advertising exhibitionism) printed on transparent film. Reading it from both sides was a revealing experience:
...
.
Disclaimer: The current temparatures in Berlin do not allow for any straight thinking. Therefore, we have to revert to humor to prevent our brains to from simply stopping operation altogether. Consider this post as the our mental screen saver.
posted at: 13:37 by FX | path: /humor | permanent link to this entry
When asking the Internet about the definition of a logic bomb, statements, such as the following from Wikipedia, are returned: "A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met." The definition does only implicitly include, by stating "will set off" instead of "may set off", the requirement that the logic bomb has to actually function to be called that. Otherwise, we call it an embarrassment.
Being invited by mc.fly to speak at the MRMCD event, I found myself talking to a few nice gentlemen about SQL injections and their use. One of them (his name is intentionally left out) lends me his laptop, a brave thing to do in any case, and pointed his browser to a demo web application for employee work time tracking, which he said is used in his work place. The first thing we noticed was that the standard "I'm here to work now" button was labelled "coming", while there was another button labelled for the exceptional case of "coming with a reason". The software vendor selling this application must be an interesting place to work at.
When we played with a few SQL injections in the application's "Search for employee by name" function on the "absence from work" page, a most interesting error message was returned:
The only contributions we made to the statement were a few characters and a single tick, which of course caused the expression to be invalid. The limiting expression
AND p.nummer >= 'AND p.nummer NOT IN (12,17) ORDER BY Nachname'is part of the software. I can only assume that the statement did not work due to the AND operator following directly the >= operator in the first place. Therefore, the brilliant programmer enclosed it in single ticks and no more errors were displayed.
The purpose of the expression was obviously to not display the time records of employee number 12 and 17, since p.nummer is the short form of Personalnummer, the German's term for employee ID. It is arguable if such a feature would never be noticed (as in "Why is Mr. L33t Coder never on the time records?"). Or, as Fefe would put it: "Das merken die NIE !1!!"
What should be noticed here is:
If your software is in a state where random hackers refer to it as a perfect training ground for SQL injection techniques, you should be worried. If the hackers in question identify, with the first injection attempt, your developer's backdoor, which doesn't even work, you should be embarrassed.
And the morale of the story: When you buy software, you don't know what it is going to do. Although the task everything but easy, I think it's high time to fix that.
posted at: 15:47 by FX | path: /humor | permanent link to this entry