Kalimat al-Mutafalsif

At some point in the recent past my site was compromised by WordPress.net.in spam. I don't know exactly when the back door was put in place since I haven't been very active on this site, though I do know that on March 20th 194.110.162.23 hit default-filters.php and uploaded the malicious code to inject spam into the footer of my pages. Unfortunately the attack is for a different version of WordPress so rather than infect me with ads, it just screwed things up royally. Maybe that's a good thing as I noticed it.

A great write up of how to clean this mess up can be found here.

To sum it up:

• Remove wp-includes/class-mail.php, its fake.
• Take out the lines hooking into the footer in wp-includes/default-filters.php
• Remove the line from the top of wp-includes/default-filters.php that accepts a file given a random GET variable.

The take away lesson here is: Even if you're not actively publishing on your blog, you better make sure your software is up to date. I've been busy with other stuff and neglected mine, unfortunately.

EDIT: I've done some poking. 194.110.162.23 is out of "Extended Host" in New York City. I'll refrain from scanning it, though I am darn tempted to see what back doors were opened on that box. As it is, I'll just email the host and inform them of the troubles.

A friend of mine passed on his used 60GB video iPod to me, which was very much appreciated as my old Sony MD-Walkman still works (God bless duct tape), but is hindered by all kinds of nasty DRM. Nasty enough that I have been unable to even change any songs on there in the past three years as I lost the software. Nasty enough that nobody has bothered to reverse engineer it because even with documentation it's a bear. So I had been planning on getting something, and this was quite a nice graduation present. I immediately replaced the firmware with something a bit more "free", Rockbox, and named her 'Katana'. Now I've got a nice flat file browser that lets me drop in almost any type of file I want. This doesn't stop at music and videos, I can also read text files, view pictures, etc. Naturally, that's not enough for me *wicked grin*. Read on to see some fun hacks that can be had with your iPod.
Read More »

If you follow my blog, and sadly most of my readers have stopped checking, you'll remember the security hole I found on a major website around Valentine's Day. You should also remember I had a very good experience with the developers there, in terms of their competance and politness.

Well, I just tried to log in to that site on an account I haven't used in... well.. a long time, lets leave it at that. Sadly, I'd forgotten my password, and they do a very smart thing in limiting how many failed logings one can have before resetting the password, forcing me to reset my password. Up to this point, everything is working as it should, removing the possibility of brute force attacks with only limited user annoyance every few months.

Then I noticed that... uh-oh... the reset page wasn't SSL. I thought "Oh, don't worry, I'll bet its posted to an SSL domain," but grepping the source proved otherwise. Bugged, I decided to sniff my traffic and see what was happening, and sure enough, my password flew by in plaintext. This time it wasn't anything as stupid as a "Mother's Maiden Name" type question that also requires a little social engineering, this is MY PASSWORD, and MY USERNAME flying by.

Here's a look at a sanitized version of the information in the packet that gives it all away.

Content-Type:application/x-www-form-urlencoded
Content-Length:102
submitok=1
cc=ff6cda68ba7b4c
tt=1180114618
email=****@****.***
newpass1=PLAINTEXT
newpass2=PLAINTEXT

The Impact:
If I have to be sniffing the traffic in order to catch the password, this isn't as effective as, say, just phishing for the credentials, but this attack doesn't require any human stupidity.

However, this again is a very effective attack for large networks. ARP Poisoning is fairly trivial in this day and age, so even on a switched network one can grab these credentials. On a large network such as a dormitory, or campus this attack will work on as many people as are connected to the router you have access to. Worse, combine this with a botnet or other malware on a victim's machine, and it'll work on everyone who logs on to the site on an infected computer.

Another fun trick, as identified by the researchers at Indiana University, is subverting routers. If one subverts a router to modify the firmware, such an attack could easily be set up to happen on all traffic passing through the router, eliminating the need for ARP Poisoning. However, this requires an insecure router to start with, and the target would be a much smaller number.

The Attack:
I'll talk through an attack from a dormitory, as that's the first I thought of. Once you're set up with your ARP Poisoning, its time to get users to reset their password. Get a large list of email addresses from your school (this is very, very easy to script, you should be able to get tons of addresses. Now, you can either exploit the password reset security feature, or simply hit the reset.php page with each email address. Once you've reset the password, sit and sniff the network for any packets going to the page that actually does the resetting. Save all those packets, and you have all the information you need to compromise the accounts of everyone in your dorm!

I happen to know (whipped up a script to prove it) that this can quite easily be done in Perl where you never have to do anything, just sit and watch the logins go by.

The Payoff:
Once you have all the logins, you can either be very malicious and overt, or very subtle and clever. One might immediately hit the account page to change the password to something to lock out the legitimate user, or maybe even delete the account. Or, to be clever, throw all the logins into a database for later exploitation. It'd be smarter to do the second, because then the attack will go unnoticed for a while.

My Actions:
As usual, I'm accompanying this post with an email to the development squad of that website. I'm not releasing the name of the site, will delete any comments that say what site it is, and won't make my exploit code available anywhere. I will speak for the quality of the site's developers, from my last dealings with them, and know this will be fixed before any real attacks can be launched.

I'm in a bad way right now. Personal issues just about every week have made this semester the semester from Hell. Well, today was the worst, I've almost snapped from stress, depression, lots of stuff. Not meaning for this to be emo, just want to set up what goes into these posts more. Anyways I went running tonight. Car's messed up, needed to get out so I just lit out runnin. Ended up (so far, no where near done) at the school library, wanting to do some hacking. A lot of my hacking is done when I'm trying to clear my mind of larger issues, which is how I get issues so bottled up inside that I can snap. This is an problem, but tonight, I just need an escape. So I *just* hit publish on a semi-decent write up of fun I've had with printers, I want to show you some more in depth.

I'd like to start with saying I'm not doing this to be malicious... I'm just curious about these printers. Nothing I do will be aimed at hurting the printer in any way, nor the school network. I'm not doing anything here because I'm bitter or have pent up stress, I need an escape, and here's a great way to spend 30 minutes off in a wonderful world of binary choices where everything works out right. Without further ado: a look at my schools printers.
Read More »

Well, I'm awake on time (9 am), done my workout, eating breakfast as we speak and I'm sqeeky clean from my shower. This new morning routine gives me lots of time to ponder before starting my day, and I was reflecting on an interesting happening yesterday. Quickly summing it up, I was able to apply a hacking method for hardware to an AIM conversation, fun huh?

Quick language lesson: Power Attack - The name of a certain type of attack, usually used on hardware, that determines information from power drawn. This was originally used on smart cards where one could determine the encryption key by measuring the power drawn off the card at certain points in authentication.

So yesterday I was having a somewhat personal conversation with a girl who does CS-like stuff at a really cool University (cool in my mind for some working agreements they have with notable social networking sites). She's a good friend and we'd discussed this topic in the past, but for whatever reason I was being very standoffish. I'll take this time to point out there's nothing illicit going on, I just respect the privacy of anyone I talk to, and the conversation topic might identify her to people that know her.

Well conversation turned to a lighter topic, and involved a scientific equation that I try to live by. At most two people in the world (aside from me) know this equation... and its a closely guarded Snarky-Secret, so it shan't be aired just yet, but after I mentioned this equation I noticed the little 'typing' icon on her GAIM window was on for about a minute. After which she replied "Absolutely true". I pointed out that that was an awfully long time to type such a small phrase, and was able to drag the real message out of her.

Now, that's just a stupid little case where a power attack actually worked, but I was darn proud. This shows that, for those of you who aren't hackers (probably a majority of my readers), you can still apply "hacker techniques" to any area of you life, regardless of if there's obvious overlap or not. Here a technique that's normally used against corporations (to find out when they're working), Smart Cards, and keyboards which effectively took down the most powerful defense known to man.... the female mind.

This is just a quick update about the story I posted last week regarding a nice security hole in a major Internet Site. The tech support there have actually been really, really great in working with me to fix this problem. They emailed me an intial "Hey we got your report" the day I sent it out, and later this email I'm sharing with you. I initially expected to lose that account (and at one point today, I kinda wish I had), but so far it hasn't been locked or damaged in any way that I can see. I got en email from them that I'd like to share as an example of doing things the right way.

Hi {Name},

We are aware of the issue that you described, and we will look into some possible solutions that won't disrupt page load times and general site performance. Thanks again, we appreciate the email and the blog post.

Thanks,

{Name}
{Title}
{Site}

I fully expected something more along the lines of a Cease and Desist letter, as I've got quite a few friends who managed to procur those from simply pointing out insecurities. Apparently some corporations feel the correct response to an academic report of a bug on their site is the same response one would use for a malicious hacker attempting to exploit their site. This company, however, was different and literally turned my perspective around. I really, really did not like them for a variety of reasons (mainly revolving around security) but after this they get an A in my book.

Bottom line: No code is flawless, its how you deal with the bug reports that sets your site apart, not how perfect you can make it in the first place.

These guys got it, and once the issue is resolved I might even put their name up here (with their permission) and support them openly because too few companies are that willing to accept criticism and security hole reports.

So I was feeling kinda down a few days ago, and I turned to the thing that always cheers me up, hacking. Nothing malicious, just seeing what bugs I could turn up. Found a great one dealing with why sites should use HTTPS instead of HTTP traffic by default. Oh, I've taken the liberty of attempting at clearing out all links to my accounts. Don't worry, my account doesn't use that security question any longer. Also, because this post isn't malicious, I'm omitting the name of the site I found this on (and really, it could be any of the major sites out there, they all act a lot the same and I've yet to go check some other major ones) because they deserve anonymity as much as I do.
Read More »

Last year I had a fairly, bleh, Valentine's day post. It was rushed, poorly done, and all over the place. This year, this year is different. You may notice that this is BEFORE Valentine's day... that's true. I'm putting this out early, with the same hopes as last year, that some geek out there might score a date for the rest of us! Now, my plan this year, is a personalized Linux LiveCD that I'm calling the LoveCD. So, this post is going to be 10 fun ways to personalize a CD for that special someone (or laptop, in my case).
Read More »

So there I was.... sitting in "Popular Religion and Cyberspace" minding my own darn business when BAM, professor assigns a paper! Uncool... What did the paper have to be on? A form of folk, popular, or vernacular religion that we'd experienced. That was the entire assignment description. Right quick I'll tell you that these are folklore terms for religions that: differ from a formal religion slightly; are of a repressed group; or the personal beliefs of people and how they perceive religion, respectively.

Now I had an initial idea to write about the religion found in Walraven, but after talking with the creater for a bit, decided this wasn't gonna work. So, the other guys on the IRC channel (developers of walraven / friends of them) started throwing out other ideas related to coding, and I took them and ran with it. Here's what I came up with:
Read More »

So, everyone in this age has heard of the "eeeeeviiiil botnets", yes? They're shown all over the media threatening our livelyhoods, they're written about in the newspapers, and its obvious the world is going to end tomorrow due to these little buggers. Or is it? I for one am quite intriguied by botnets, and the viruses (I was formally corrected this weekend that viruses is the "correct" plural, so there ya go) that form them. In many ways these evil little guys are the best coding we see nowadays when OSes are.... abysmal to say the least. Now, of course I'm not intriguied enough to MAKE a botnet in the wild... that'd be evil and wrong, and obviously I'd be anti-freedom. But I'd still like to play with them, and to that end, I unveil the game Harkins and I were working on this weekend.

Botnet!

Now, that website is nothing more than a placeholder so ya'll don't browse my site... it'll get better I promise, as this game'll be advertised entirely online. Hopefully I can convince the God of CSS (Harkins) to bang out something flashy.

Basically the premise is that you are an upstart botnet mastermind. Your computer might not be the best, and your viruses a tad unstealthy (at first) but you want to make your mark on the world. You move through a "network" of system cards trying to complete missions, or destroy your opponent. Its different from other card games, with some influences showing through. Gameplay is not nailed down yet. So that's all I'll say for now.

One goal we are looking for, however, is to make it somewhat realistic. For instance: the cards all are real-life things, different OSes, ways a cracker might hack something, etc. We don't want to make something that'll just further the fear of teenage punks in dark basements sipping Jolt. Also, we want this to be simple... our first version might have been too simple.

Rules version 1 -

• For this version we did combat as follows: At the end of a turn, whichever side had more viruses on a system won it, and the others were removed. This proved to be a bit... weird... due to modifiers and deciding who was attacking whom. This has been scrapped.
• We did movement by having a limit to how many different viruses one can move, and how far they can move through the network. This slowed things down in the beginning, and is being reworked.
• Income was kept over turn endings, and couldn't be spent quick enough due to a small hand limit. This is definately changing in a few ways, as we'll probably make you clear your income every turn, among other things.
• All in all, it was a tad fun, and should be loads more once the game's sped up a bit, and you actually have to make decisions about spending money or saving it.

Those're my brief and very disorganized (still banging on xorg from my previous post) thoughts on the first system we play tested. Harkins, if you think of anything you'd like to add, feel free.

Current rules will be kept at: Here
Cards can be viewed and printed at: Here
Forums are: Here