Hahahaha… nou je kon er op wachten natuurlijk… de ov-chipkaart is volledig gekraakt. Eerder beweerde Trans Link Systems (de beheerder van deze ov-chipfail, een samenwerkingsverband van de ov-bedrijven) dat men fraude zou ontdekken en dat het tot blokkade van de kaart leidt. Kennelijk kan men zien dat de kaart niet is opgeladen maar wel het saldo verhoogd is. Nu blijkt echter dat de blokkade gewoon op de kaart zelf zit… dus met wat aangepaste software kun je deze gewoon deblokkeren.

Mensen met meer dan twee communicerende hersencellen wisten dit al maar even voor alle politici, beleidsmakers en automatiseringsprutsers: “security by obscurity” is GEEN security. Lees het. Onthoud het… en breng het in de praktijk. Saillant detail: de ov-chipkaart is een door De Nederlandse Bank goedgekeurd betaalmiddel. Whahahaha… ook een stel prutsers dus. En Nout Wellink maar roepen dat DNB een goed toezichthouder is. Welterusten.

Gelukkig is de ov-chipkaart voor een groot deel gefinancierd met extra-gratis belastinggeld dus het geeft niets. Op naar het volgende miljoenen verslindende bijvoorbaat kansloze project… Onze belastingcentjes worden gelukkig zorgvuldig besteed…

At the Chaos Computer Club Congress Microsofts Bruce Dang shared the knowledge gained by analyzing the Stuxnet worm. Stuxnet appears to be written to specifically attack Irans nuclear centrifuges. It spreads through windows based systems and is pretty nifty… well the most shocking of all is to see the enormous amount of stupid privilege raises that happen because windows doesn’t have a very secure foundation on which it is built (“a print-spooler flaw that allowed remote guest accounts to write executable files directly to disk”… tsk tsk tsk). This is a nice read-up about the stuxnet worm.

“Ik heb toch niets te verbergen?” is het meest gehoorde argument als je mensen vraagt naar wat zij vinden van de alsmaar toenemende surveillance mogelijkheden die de Nederlandse overheid in probeert te zetten om haar burgers in de gaten te houden. Natuurlijk je hebt ook niets te verbergen… voor de overheid wellicht… maar wat nu als het in handen van derden valt? Dat is het grote probleem: je verwacht dat overheden –maar ook bedrijven– zorgvuldig omgaan met persoonlijke gegevens van burgers. En juist die verwachting blijkt keer op keer niet waargemaakt te worden. Ik schrijf dit naar aanleiding van een groot lek bij NL-energie maar dat is slechts één voorbeeld van de talloze incidenten die er de laatste tijd boven water zijn gekomen… let wel: de incidenten die bekend zijn geworden. Het topje van de ijsberg dus.

Er zijn strenge regels waaraan bedrijven en overheden moeten voldoen met betrekking tot het omgaan van persoonsgegevens. Echter keer op keer komen incidenten boven water waaruit blijkt dat die regels op grote schaal geschonden worden. Dat is de reden dat ik me elke keer weer onveiliger voel op het moment dat administraties gekoppeld worden, databases worden aangelegd, dataverkeer gemonitord gaat worden en ga zo maar door. Heb ik iets te verbergen dan? Nee! Of ja, eigenlijk wel… mijn identiteit. Ik wil graag mijn eigen identiteit behouden en vooral voor mezelf houden. Ik heb er geen behoefte aan dat organisaties mijn privé-gegevens naar Jan en Alleman lekt.

(more…)

Whahahaha.. brilliant. Rop Gonggrijp is at it again. Together with some researchers he like totally p0wnez Indian voting machines. Rop already demonstrated that dutch voting machines are inherently unsafe. Check the site “Wij vertrouwen stemcomputers niet” (English). That is the reason why we (again) vote with red pencil and paper in the Netherlands. Now in India they will probably do the same thing. Looking for a career change? How about manufacturing red pencils… India will need a couple anytime soon. Here’s a cool video that can also be found on Rop’s site.

Whahahaha… it had to happen one day. A problem with an anti-virus update marks a false positive and puts the file in quarantine. The OS can’t load the file anymore and… oops… reboots… and…. reboots…. and… reboots… This is actually a great feature. Rebooting windows is like 80% of normal usage and it is now fully automated.

Fixing it can be a bit hard… since the computer is rebooting all the time. McAfee could create a bootable windows CD that restores the missing file from the system but.. hey wait.. no they can’t do that. You can’t distribute a proprietary OS like windows for free… Maybe they can create a Linux boot CD to restore the windows file… Something to contemplate: using Linux to revive a windows machine.

Oh whow.. now here’s a very nice report of a recent successful XSS-attack on apache.org. No don’t worry it isn’t a huge hole in the Apache webserver… just a very clever attack. Well.. they did obtain SVN credentials so maybe the attackers could have changed the sources and inject a backdoor…

The attackers were able to penetrate at system level due to usual end-user fuck-ups like using the same account & credentials on the web applications as well as shell access to production systems. One-time passwords did prevent the attackers to gain full access to the entire infrastructure. It’s a nice read.

Oh this is very very nice. Google has implemented a feature on gmail to detect suspicious account activity. Suppose you always access your gmail from the Netherlands… and all of a sudden it is accessed from Poland?… Gmail will now warn you about this kind of abnormal behaviour. It’s a good read. Here’s a little teaser…

A few weeks ago, I got an email presumably from a friend stuck in London asking for some money to help him out. It turned out that the email was sent by a scammer who had hijacked my friend’s account. By reading his email, the scammer had figured out my friend’s whereabouts and was emailing all of his contacts.

Well as many developers already know: security is a concept, not a product! You can’t just throw “some security” at a piece of software. Security considerations must be part of the original design and development of software. The Pwn2Own hacking contest shows –once again– that there is too little security awareness in current software design. Look at these embarrassing results: all major browsers took a fall: Internet Explorer,  Firefox and Safari. Most browser are compromised by popular plugins like acrobat reader

These OS’s took a fall: Windows 7, Windows XP, Mac OS X snow leopard. The only OS that is still standing is Linux. Because Linux is indefinitely more secure? Well maybe but there’s also something else: Linux is an open source OS where highly skilled developers are coding. Changes are reviewed by others before they are merged into the main kernel tree. In other words: security is part of Linux. Another thing is that people who run linux are people who are aware of abuse. These are –in general– not the people who would click on the ‘cute-kitten-movie.exe‘ attachment. So Linux is just not that interesting to Black Hat Hackers. True: Mac OS X is build on an open source OS as well: FreeBSD but the presentation layer and Safari is proprietary code from Apple (except for the WebKit on which it is build).

Microsoft currently runs the Security Development Lifecycle (SDL) model. This should make security an integral part of the development lifecycle. Well to be honest when budgets are getting tight and deadlines are running out: documentation and code quality are the first areas that take the fall. So really I don’t expect much from SDL. Especially since MS is trying to develop a ‘catch all’ (silver bullet) security measure inside the kernel… I’m not saying these measures aren’t worthwhile, they are (Linux has them for ages now), it’s just not enough.

The phrase ‘security is a concept, not a product‘ proves its point when you look at the measures current OS’s are implementing to prevent ‘arbitrary code execution’. Windows XP, Windows Vista (still in use?) and Windows 7 has DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization). Both ‘techniques’ should prevent (or make it harder) to execute arbitrary code… but they don’t. Dutch security researcher Peter Vreugdenhil showed an impressive circumvention of DEP and ASLR in windows 7. See: security is not a product…

The good thing is that the hackers are not just updating the vendors on the leaks they found. Instead they tell the vendors how to find the leaks themselves in an attempt to raise awareness.

An article in the Washington Times reports on US cybersecurity experts who claim that the chinese cyberattack last year was targeted at stealing corporate secrets. One of the targeted firms was Google. They discovered the attack and claimed they could trace it back to the Chinese government. This is one of the reasons why Google is moving its business from China to Hong Kong. It’s a good read and I hope more details will follow.

Oh I had to work this weekend. Well actually a lot of people had to come in and work one or more shifts over the weekend. I did one (long) shift. I also had to come in early the next day. So wandering the desolate hallways I decided to make some pictures of how we trashed the place up… well… be glad I didn’t take pictures on sunday. I also saw a nice example of password secrecy: a post-it note, attached to the frontpanel of a monitor, containing a userid and a password. I blurred them in the photo but they were there for everyone to see.

Photocollage right here

Whahahaa… nice. The EFF (electronic frontier foundation) has filed a request at the DMCA to allow jailbreaking of Apple’s iPhone. Users must be able to install any software they wish.. not just the software apple approves of.
Just this week apple removed any voice-based application from the App Store to protect their exclusive deal with AT&T because it “duplicates features that come with the iPhone”. This just proves the necessity of people having the right to install any software they want.
Soooo Apple had to respond to the DMCA why jailbreaking would be bad…. well.. hold on tight.. according to Apple the iPhone is not just a phone… it’s a weapon of mass-disruption. I call “FUD“

Okay okay, calm down people…. calm down… This week rumours spread all over the internet that a 0-day attack against openSSH was used to compromise computer systems. Everyone was advised to upgrade to the latest version of openSSH even though there was not a single piece of evidence of this attack. Sure there was a nice (and somewhat entertaining) ‘script’ dump of an alledged attack (also read the small comments inside the script dump, very funny at times). In this dump you can see that they used a tool called 0penPWN (also called 0pen0wn) that alledgedly breaks openSSH. But I think we are all able to fake some output aren’t we? Here’s another dump of an alledged attack.

Damien Miller (openSSH) responded that he still has not gotten a single piece of evidence of a 0-day exploit. He summarizes some of the possible attacks and argues that its very unlikely that openSSH can be compromized in those ways. It seems that the actual hacks were brute-force password attacks that actually succeeded.

I protect my system against brute-force attacks by allowing only 5 failures from a single host. When 5 failures (like invalid usernames) are detected the host is blocked for 4 hours. It does have a whitelist of known hosts that I will never block. This is a simple script that is constantly monitoring messages from the ssh daemon. Oh and when I mean block I’m talking iptables so all packets are dropped and the attacker will be slowed down and the attack comes to a grinding halt. This approach works like a charm. When my server was just online I got around 10 to 20 attacks per day that lasted for hours. Now I only get a few per day which are automatically detected and killed at a very early stage.

Here’s an extract from the sshd logfile (some fields are blurred). Here you’ll see 5 errors from a specific IP (98.173.XXX.XXX) and that’s it. From there on packets are dropped from that IP address.

extract from sshd.log

Here’s an extract from the logfile of my script that shows what clients are blocked and unblocked. You will see that we block the attacker and around 4 hours later we re-enable it. When he’s still attacking he will be blocked for another 4 hours etc.

extract from the logfile of my script

Elvis leeft! Er zijn veel mensen die altijd al dachten dat de dood van Elvis Presley in scene was gezet en dat blijkt nu waar te zijn. Elvis leeft en heeft een Nederlands paspoort. Althans dat heeft de onderzoeker Jeroen van Beek aangetoond. De chip die gebruikt wordt in de Europese paspoorten is gekraakt (zie OV-chipkaart).

Hier het hele verhaal op nu.nl

The yearly Pwnie Award nominees are selected. The Pwnie Award is an annual awards ceremony celebrating and making fun of the achievements and failures of security researchers and the wider security community. Many categories are there from “server-side bugs” to “Most Epic Fail” and even “Lifetime Achievement Award”. Pick your favorite now. The winners of the Pwnie Awards will be announced on August 6, 2008 at a ceremony at the BlackHat USA conference in Las Vegas.

Today I came across a small article that mentioned that the Data Loss Database is taken over and will be maintained by the Open Security Foundation. Ignorant as I am I didn’t even knew there was such a database. It holds all known cases of data loss world wide. Take a look at that and see how many cases are reported. Once again the only question that comes to mind is: when will we ever learn?