Saturday, October 17, 2009

My Alfa AWUS036H

Today I get my long range USB adapter from geek001.

- Posted from my iPhone.

Saturday, October 10, 2009

New Tool: Disk2vhd v1.0

>>> Sent via Google Reader:

New Tool: Disk2vhd v1.0
via Sysinternals Site Discussion by curtismetz on 10/7/09

Disk2vhd v1.0: We're excited to announce a new Sysinternals tool, Disk2vhd, that simplifies the migration of physical systems into virtual machines (p2v). Just run Disk2vhd on the system you want to migrate and specify the volumes for which you want data included, and Disk2vhd creates a consistent point-in-time volume snapshot followed by an export of the selected volumes into one or more VHDs that you can add to a new or existing Hyper-V or Virtual PC virtual machine.

Tuesday, October 06, 2009

HotMail, MSN, LIVE Accounts Hacked

An anonymous user posted more than 10K account details on October 1 at

The list has been removed since it is confirmed that those accounts are genuine. The list of accounts login are starting from A through to B, suggesting there could be additional lists.

Currently it appears only accounts used to access Microsoft's Windows Live Hotmail have been posted, this includes, and accounts.


HITB 2009

Guys, I going to HITB at KL today. Catch up later in the conference.

- Posted from my iPhone.

Wednesday, September 30, 2009

What You May Not Know about the SMB2 0Day

What you may already heard/known today about the SMBv2 0day:

Here's a list of follow up that you may not know yet:

  • More than 10 version of the exploit is available here (C, PERL, Python, Ruby, win32)
  • Port of the BSOD code to Metasploit (instead of RCE).
  • Winsock edition is here.
  • SMBv2 vulnerability scanner (class B, C) in Python.

In additional, rumor says:

"We found this issue independently through our fuzzing processes and implemented the fix into Windows 7 RTM (release to manufacturer) and Windows Server 2008 R2," the spokesperson says. "We're working to develop a security update for Windows Vista, Windows Server 2008 and Windows 7 RC."

Monday, September 28, 2009

Windows Media Player Network Sharing Service

In Windows 7, there is a service called "Windows Media Player Network Sharing Service" (WMPNetworkSvc or "C:\Program Files\Windows Media Player\wmpnetwk.exe").

This process starts even you set it to manual. This service opens up TCP port 10243. If you scan it with NMAP, you will get "Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)".

I recommend to set it as "Disabled" to reduce the attack surface on any Windows 7 platform.

Excellent Guide on AES

An excellent guide on Advanced Encryption Standard (AES) from Jeff Moser.

You can download a copy of the excellent article in PDF or PPT format if you like it so much (like me)!

Sunday, September 27, 2009

Enhancement to Split-Tunnel VPN

Remember the Split-Tunnel VPN?

In case you need a script to manually add some static routes to your corporate network. Here's one:

@echo off
for /f "tokens=3" %%x in ('route print ^| find ""') do @set INPUT=%%x

route add mask %INPUT% metric 1
route add mask %INPUT% metric 1

Have fun!

This is assuming your VPN login subnet is and you wish to add 2 static routes: and

Saturday, September 26, 2009

Is Weakness a Vulnerability?

No, according to Microsoft.

BitLocker Drive Encryption is full disk encryption solution introduced by Microsoft since Vista (Ultimate and Enterprise edition) and with the enhancement in Windows 7. A lot of people do notice that full disk encryption isn't the panacea for data loss prevention.

Thus, in Windows 7, Microsoft takes it to the next level to protect your data - even on removable drive.

BitLocker-to-Go is a new feature available in Windows 7 (Ultimate and Enterprise edition only). It extends BitLocker data protection to USB storage devices, enabling them to be restricted with a passphrase. In addition to having control over passphrase length and complexity, IT administrators can set a policy that requires users to apply BitLocker protection to all removable drives before being able to write to them.

Does BitLocker in Windows 7 seems perfect? No, not yet.

Based on testing, first you need to have TPM before you can use BitLocker. In Windows 7, BitLocker allows you to protect the hard disk and removable drive (USB connection). But it still miss out the floppy drive and CD-R/CD-RW/DVD-R/DVD-RW.

This isn't a vulnerability. It is a design.

Friday, September 25, 2009

"The requested operation requires elevation."

Ever since Vista introduces UAC (User Account Control), it becomes an issue whenever you need to execute command and script at command prompt.

Here's the message you get and it means you hit UAC when you execute command.

"The requested operation requires elevation."

You have 3 options:
  • Turn off UAC (bad idea).
  • From "Start" menu, follow "All Programs", "Accessories"; right-click "Command Prompt", select "Run as administrator".
  • Use the shortcut below:
  • Goto “Start” and enter “cmd” into the search field.
  • Do not just hit enter. Hold CTRL + Shift and hit Enter!
This works on Windows 7 too!

Split-Tunnel VPN

A lot of time, we work-from-home (WFH). To work, we need to setup a VPN tunnel back to office network, to read email for instance. Once the VPN connected, you loss all the direct connections to Internet: to download torrent, skype, IM, etc.

This technique is called "split-tunneling VPN". It allows you to connect to office network via VPN and Internet directly. Split-tunneling configures the VPN connection so that only traffic headed to computers on the office network is sent through the VPN connection; other traffic goes out through your home router.

Follow these steps to set up a VPN connection in Windows XP/Vista/7 that uses split tunneling:
  • Setup your VPN connection using the instruction from your corporate standard.
  • Right-click the VPN connection and select "Properties."
  • Select the "Networking" tab.
  • Highlight "Internet Protocol Version 4 (TCP/IP v4)."
  • Click "Properties"
  • Click "Advanced"
  • Uncheck the "Use default gateway on remote network" box. (This is turned on by default)
  • Click "OK" few times to close the windows you opened.
From that point forward, only traffic destined for your corporate network will be sent through the VPN. All other traffic will use the local network.

Note: If your corporate network contain other internal subnets, you will need to add static routes for that manually.

Update: see the enhancement example.

IBM ThinkPad BIOS Password Recovery

This is a short article to show you how to recover your old password at IBM ThinkPad supervisor password. IBM claimed their TP BIOS passwords are impossible to break. Here is an easy and cheap way to break it. The stuff you need costs about $5 and a spare PC with a serial port.

Thursday, September 24, 2009

Mastering The Metasploit Framework

Offensive Security launches a free online Metasploit Framework training. It definitely worth checking it out. Enjoy!

Tuesday, September 08, 2009


The vulnerability was discovered by Laurent GaffiƩ. Here's the short description about the vulnerability:
SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionnality. The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a SMB server, and it’s used to identify the SMB dialect that will be used for futher communication.
Based on testing, Vista/2003/2008/Windows 7 (RC) are vulnerable to this exploit. However, Windows 2000/XP/Windows 7 (RTM) are NOT affected by this exploit.


Thursday, September 03, 2009

Windows 7 RTM

Today, I upgrade my laptop from Windows XP to Windows 7 RTM (Ultimate x64 bit). This is my logon screen.

Monday, August 31, 2009

Microsoft IIS 5/6 FTP 0Day released

A new 0-day exploit been released. It is targeting Win2K's Microsoft IIS 5/6 FTP service.

Your server is vulnerable if you are:
  • Running Microsoft IIS 5/6 FTP service on Windows 2000.
  • Allowing anonymous access with WRITE access.

Thursday, August 27, 2009

Crypto Attacks: It’s the implementation stupid

This is a great write up on analyzing the Moxie Marlinspike’s latest sslstrip tool (introduced in BH09). The tool does exploit a vulnerability in most of the current browser that could break SSL connection.

The root cause of this vulnerability is at:
This vulnerability relies on the fact that character strings within X.509 certificates are ASN.1 encoded, but software written in the C programming language typically manipulates character strings as null terminated character arrays. ASN.1 strings are stored using a form of Type-Length-Value (TLV) encoding. C strings are simply terminated by a null byte (\x00).

Enjoy the article here!

Monday, August 24, 2009

Facebook CSRF Attack

This attack has caused personal information leakage. The detail of the attack can be found from:
Here's the anatomy of the attack.

Friday, July 31, 2009

Black Hat 2009: Parking meter hacking

>>>> Black Hat 2009: Parking meter hacking

via Hack a Day by Zach Banks on 7/30/09
For day two of Black Hat, we sat in on on [Joe Grand], [Jacob Appelbaum], and [Chris Tarnovsky]'s study of the electronic parking meter industry. They decided to study parking meters because they are available everywhere, but rarely considered from a security perspective.

They focused on the San Francisco's MTA implementation of electronic smart card meters. To start they purchased several meters on eBay just to see the different styles. SF MTA lets you purchase disposable payment cards with values of $20 or $50. They decided to sniff the interaction between the meter and the smartcard using a shim. With that first capture they were able to easily replay the transaction. This didn't require a smartcard reader, just an oscilloscope. They then took the attack a little further.
[Joe] built a smartcard emulator using a PIC16F648A. They used it to capture multiple transactions and then decoded the interactions by hand. Luckily, the card was using the IEC 7816 standard so they had some insight into the protocol. They found that the card has a stored maximum value and only writes how many times the value has been decremented. As a proof of concept, they change the maximum value, which you can see on the meter above. They could also have just changed the acknowledgement so that the card never writes any deductions.
The PIC16F648A was a good choice because it's available in a smart card format called a 'silver card'. You can find the emulator code and slides from the talk on [Joe]'s site about the project.

Breaking SSL with NULL Character

Another interesting post about what's happening at Las Vegas BlackHat event now, SSL.

Moxie Marlinspike and Dan Kaminsky had independently found a problem in most implementations that enables an attacker to create certificates that appear valid for any web site. By cleverly embedding NULL characters to the certificate name field, a browser will incorrectly match a malicious certificate to a valid web site.

Early this year, we see how sslstrip hijacking SSL at BlackHat DC. This time, both the experts make the attack even more effective. See here:
You (evil admin) apply for a certificate. The certificate authority (CA) looks at the common name (CN) on the form and contacts the domain owner. The CA ignores the subdomain.

The trick is to drop in a [NULL] character in the subdomain, such as[NULL], the CA will contact the owner of and issue the cert.

When clients use browser to verify the cert, the null character causes them to think the certficate is valid for because they stop at the null character. Even if the client examines the cert in their browser, it will show wildcards work as well. you could get a certificate for *[NULL] and appear as any site you want.
Moxie has released his new code soon, to be part of sslsniff 0.6.

Bootkit Bypasses Hard Disk Encryption

Bootkit = Bootable + Rootkit

This year, at BlackHat security conference, an Austrian IT security specialist Peter Kleissner presented an open development framework for creating rookits that activate early on in the boot process using MBR, aka bootkit.

This bootkit combines a rootkit with the ability to modify a PC's Master Boot Record (MRB), enabling the malware to be activated even before the operating system is started. The bootkit is called Stoned, which is capable of bypassing the TrueCrypt partition and system encryption.

You can access the BH USA 2009 media archives to get a copy of the slides and paper.

BIND 9 Dynamic Update DoS

This time, ISC BIND 9 contains a vulnerability that may allow a remote, unauthenticated attacker to create a DoS attack. Both POC Exploit and patch are available now. Here's the summary:
BIND Dynamic Update DoS
CVE: CVE-2009-0696
CERT: VU#725188
Posting date: 2009-07-28
Program Impacted: BIND
Versions affected: BIND 9 (all versions)
Severity: High
Exploitable: remotely
Summary: BIND denial of service (server crash) caused by receipt of a specific remote dynamic update message.
McAfee did a good job on summarizing how the attack works. You can follow it here if you are interested in the detail.

POC exploit is available at:
Update: I found that there is a workaround that can be applied if case patch isn't available from vendor. Try this on your own risk.
iptables -A INPUT -p udp --dport 53 -j DROP -m u32 --u32 '30>>27&0xF=5'

“make it so that security is not the security team’s problem”

I have not been able to make it for the BlackHat event this year at Las Vegas. I wish I was there to listen to this excellent talk by the keynote speaker, Douglas Merrill.

MI5 Website Hacked

The website of the UK counter-intelligence and security agency MI5, has been hacked with the result that the identity of visitors could be stolen and viruses downloaded to their computers.

According to the source, it was hacked by a group of hackers, known as Team Elite, who has previously hacked into the WHO's website and attacked VISA's computer systems.

Read more on:

Monday, July 27, 2009

It is Time for Network Solutions

>>>> Half a million customers' credit card data stolen from Network Solutions

Unknown criminals have stolen more than 500,000 data sets containing credit card numbers from registrar and hosting provider Network Solutions. Apparently, the criminals managed to inject special code, designed to intercept transaction data, into 4,343 Network Solutions hosted merchant websites.

The injected code appears to have been activated on March 12 and was not discovered until June 8. During the period in which the code was active, details of 573,928 purchases, from web sites using the Network Solutions infrastructure, were intercepted. Details of how the attackers penetrated the system have yet to be disclosed.

Laws in many US states requiring customers affected by such cases to be informed have created an organizational nightmare for many small shop operators; not least, because the laws governing such cases vary from state to state. Network Solutions has extended these operators a helping hand, however, offering to handle informing shop owners' customers for free through a company called Trans Union that specialises in such matters.

For customers whose credit card data was stolen, Network Solutions has offered to monitor transactions for suspicious activity for 12 months, free of charge. According to the company's information page, the offer only applies to customers located within the United States. It is still not clear whether customers in other countries have been affected. While the customer FAQ states that Trans Union will also inform foreign customers, the dealers' information page specifically mentions only "US-based customers."

Sunday, July 26, 2009

ISO 27001 by Praxiom Research Group

Just found this site recently, and wish to share with everyone, who are interested in ISO IEC 27001:2005 and 27002:2005.

Here's the link that has lots of information and resources there.

Saturday, July 25, 2009

Getting into Trouble for Tracking Hackers

Remember the news on DDoS attack against South Korea and US earlier?

According to news at InfoSec Magazine, VNCERT has received an "official complaint" from KrCERT about its efforts to track down the source of computer virus attacks.

Friday, July 24, 2009

This is Called Auto Login

To Infosecurity Magazine, this is called "AUTO LOGIN", not "BACKDOOR".
Infosecurity isn't really sure either, but the breathtakingly simple technology tweak appears to have been coded as a backdoor to Windows XP for administrators who are having password difficulties.

I'm surprise with Infosecurity Magazine post on "TuCows review shows how to start WinXP without a password" after watching the video on Butterscotch tutorial. This isn't a hidden command in XP. Anyone can simply issue the command and do so (with administrator priviledge).
control userpasswords2
My point is, how can InforSec Mag never know this?

Tuesday, July 21, 2009

JSON Hijacking

I've been introduced to this JSON Hijacking topic recently. It is a very nice write-up.

Basically this vulnerability requires that you are exposing a JSON service which…
  • Returns sensitive data with a JSON array.
  • Responds to GET requests.
  • Has JavaScript enabled (very likely the case)
  • Supports the __defineSetter__ method.
This type of attack seems similar as a variant of a Cross Site Request Forgery (CSRF) attack.

Amazon Web Services and IaaS

With Steve Riley starts his new role as evangelist and strategist for Amazon Web Services, we been introduced about Amazon business model on Infrastructure-as-a-Service (IaaS).

The Amazon’s cloud computing approach follows the infrastructure as a service (IaaS) model. AWS includes these components:

  • Elastic Compute Cloud (EC2)—virtual server instances on which you run your choice of operating systems, web servers, and applications
  • Simple Storage Service (S3)—persistent data object stores accessible through several standard protocols
  • SimpleDB—web-based data indexing and querying services without complex schemas
  • Simple Queue Service (SQS)—a message queuing service integrated with EC2 and other AWS services
  • CloudFront—a content delivery service for data served up from S3 stores close to end users
  • Elastic MapReduce—a hosted Hadoop framework for processing large amounts of data

Friday, July 17, 2009

HTTPS, SANS, FireStats, MySQL and Table Name

Ever wonder what are the engines powering SANS - Security Leadership Blog? An error message found while browsing to today. You can see MySQL is used and the table name.

And HTTPS never prevent information leakage error. :-)

Thursday, July 16, 2009

Google Chrome Extension and New-New Tab

Starting in March 2009, Google Chrome begins to support extension. Google Chrome releases updates via 3 release channels:
  • Stable channel.
  • Beta channel (monthly update).
  • Dev channel: for developer preview.
First I upgrade my Google Chrome to Dev channel via early access release channels. Once everything is completed, it shows I'm running version (as of now).

Then I modify the startup argument of the shortcut (or run from cmdlne) as below:
"C:\Documents and Settings\mylogin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --enable-extensions --load-extension="c:\myextension" --enable-user-scripts --new-new-tab-page
In case you wish to list/uninstall extension: type chrome://extensions at the address bar.


DDoS Attack Master Server is Identified

Recently, there is a DDoS attack against South Korea & US networks. Vietnamese security experts, from Bkis, claimed that the master server of the cyber attacks was located in Britain. A report Korean authorities confirmed as credible.

Based on their investigation, about 166,908 "zombie" computers from 74 countries around the world have been used for the attacks and controlled by 8 Command & Control (C&C) servers. They successfully identify the master server after they hack into 2 of the 8 C&C servers.

With this, it allows them to determine the IP address of the master server, which is running Windows Server 2003, is and that it is located in the UK.


Tuesday, July 14, 2009

Google Web Elements

Google Web Elements allow you to easily add your favorite Google products onto your own website.
  • Google Calendar
  • Google Search
  • Google Map
  • Google News
  • Google Conversation
  • Google Docs: Presentation & Spreadsheet
  • YouTube News

Wednesday, July 01, 2009

Get Free Airport WiFi

Blogger Felix Geisendorfer points out a clever URL hack that scored him free Wi-Fi at the Atlanta airport.
I found that I could easily visit sites like slashdot, Google, or even this weblog, when adding a ?.jpg at the end of the url. The next logical step was to automate that. I downloaded Greasemonkey and wrote a 4 line script that would add ?.jpg to every link in a document. That way I was able to browse most sites without a hassle.
This trick will only work on Wi-Fi networks that allow images to go through without a redirect, and though it may seem like a bit of a stretch, it's better than shelling out $7 for 30 minutes of Wi-Fi.

One of the users suggest to use "#" or "&" instead of "?", as "#" terminates the url as far as most of the browsers are concerned.

Next time, if i'll ever be stuck on an airport, i'll try this trick! :-D

Tuesday, June 30, 2009

Google Reader Lite

Recently, Google Reader homepage has been updated with a small feed reader on 3 feed categories: News, Popular, Sport.

You can access this Google Reader lite directly instead of via iFrame.

Sunday, June 28, 2009

Forensic on Microsoft Office Document Metadata

This is a post about performing metadata forensics on office documents using some tools:, SSView, BIFFView.

As a forensic practitioner, you shouldn't have miss the Deeply Embedded Metadata at CmdLab.


This weekend, I've been spending time checking on a couple of posting about denial of service (DoS). Of course, it is all begin with the recently HTTP DoS (not TCP DoS), Slowloris.

This is an effort in performing DoS attack to vulnerable HTTP servers rather than TCP services. A few common web servers have been identified to be vulnerable to this type of attack including Apache 1.x and 2.x. But our favorite IIS is NOT vulnerable.

Ans don't forget to check out the DoS attack to HTTP using Google Analytics. This is interesting as it is targetting those shared sub-domain sites, such as, and browsers that allow top level domain cookies. The idea here is, if you can set a large enough cookie (8190 bytes), you can DoS someone's client from accessing the web page. The limit for a cookie is 4K, but you can use 2 cookies at Google Analytics as a attack vector. This is serious.

The other posts from WebSecurity are interesting too. It classifies HTTP DoS attacks for both the browser and web application. One very interesting post from WebSecurity is the "Recursive File Include DoS Attack". See the links below.

Check them out if you have time:

Friday, June 26, 2009

DEFCON Tools Page

Now, DEFCON has its tools page up!

This is a repository of the great and innovative tools that have accompanied DEFCON talks over the years. Have fun!

Free Skype-in with Ring2Skype

Ring2Skype is a new free service that allows you to receive phone calls on your Skype from the phone network!

Once you sign up, you will get a phone number and a private extension. All calls to your extension ring at your Skype. That’s it. Simple, Reliable and FREE.

Google's approach to email

Become a Gmail Ninja: white belt, green belt, black belt, and Master.

Learn tips and tricks to save time, increase your productivity, and manage your email efficiently. Start with the tips that are right for you, based on how much email you get each day.

Friday, June 12, 2009

Howto Make the Search Engine Searches You

Here's the instruction on how to submit your websites to the popular search engines.

Microsoft Bing
Get your Windows Live ID ready, and visit to this site:
  • Fill out your website’s complete URL
  • (Optionally) Insert the your sitemap URL in second line.
  • Finally, input email and select if you want news updates for webmasters.

Same here, visit to this site:
  • Log in with your Google ID.
  • Enter your site’s URL address
  • You may also add a site map and get it verified. This involves adding some code to your site to confirm the ownership.
Have you submitted your blog or website to these or other search engines? Which has brought you the best results? Share them with us in the comments!

Monday, June 08, 2009

Swiss Army Knife Internet Tool

Today, I've been introduced a new online tool to perform information gathering, called robtex.

With rotex, we can search for:
  • RBL checks multible RBL
  • DNS checks: detailed DNS information for a hostname or a domain
  • IP-number checks: IP number information such as DNS reverse/forwards
  • C-net checks an entire c-network
  • WHOIS lookup checks.
  • Route: checks a specific routed prefix
  • AS numbers: checks information on an AS-number
  • BGP announcements: checks prefixes origined from a specific AS-number
  • AS macros: checks who belongs to an AS-macro (example: as-ams-ix-peers)
  • RFC documents.

Friday, June 05, 2009

Virtual Host and DNS Enumeration Techniques

This is a great post on techniques to performing virtual host and DNS enumerations for reconnaissance in penetration testing.

Here's the summary:
  • DNS enumeration
  • Banner grabbing
  • SSL/TLS enumeration
  • HTTP Protocol enumeration
  • Active/Passive Web enumeration
Check out this site from Lonerunners. It does mention about Hostmap too.

Thursday, June 04, 2009


Everyone perform reconnaissance during penetration testing. Here comes a handy tool to help you to perform hostmapping for information gathering.

It helps you using several techniques to enumerate all the hostnames associated with an IP address. This is similar to SpyOnWeb.

The major features are:
  • DNS names and virtual hosts enumeration.
  • Multiple discovery techniques, to read more see user guide.
  • Results correlation, aggregation and normalization.
  • Multithreaded and event based engine.
  • Platform independent.
Download a copy of this handy tool here!

Wednesday, June 03, 2009

Spy On Web takes the information from public sources, then structures it for your quick and convenient search for the websites that probably belong to the same owner. The web crawler picks out the following data: IP address, Google Adsense ID, Google Analytics ID, Yahoo Publisher Network ID, Yandex Direct ID.

This greatly helpss a pentester to disclose any websites with the same IP address and same owner during reconnaissance. Simply enter website URL, IP address, adversting or statistics code to discover the targetted internet business and use this data for your further strategy.

According to the website, they have indexed more than 72 million domains with more than:
  • 8 499 550 sites with Google Analytics code.
  • 3 603 150 sites with Google AdSense code.
  • 20 347 sites with Yahoo Publisher Network code.
  • 13 448 sites with Yandex Direct code.

Tuesday, June 02, 2009

Online Web Information Gathering

Here is a very useful service I’ve discovered today.

Sucuri WIGS (Web information gathering) is a simple tool to collect public information from any web site. It is very lightweight, executing just a few normal requests to your site and processing the information internally.

Enter the site URL, it will shows you:
  • The web server information: banner, version.
  • Related hosts and IP address: sub-sites.
  • DNS lookup information.
  • HTTP header information.
  • Whois information.
  • List of links.
Find here the online service from Sucuri web site.

Monday, June 01, 2009

Reverse Lookup with Bing

I learn this unique feature at Microsoft latest search engine, Bing.

You may perform reverse lookup with an IP address for a main site and generate a list of sub-site with Bing search engine.

For example, you enter "ip:" (without the quote). This is the IP address for SlashDot main. It will results in 310,000 answers with a list of sub-site that hosting at the same public IP address.

This is a great feature as it can allow a pentester to find out how many websites are hosted at one particular IP address during reconnaissance. Cool!

Thursday, May 28, 2009

HTTP Parameter Pollution

>>>> New type of attack on web applications: Parameter Pollution

At the recent OWASP conference, the Italian security experts Luca Carettoni and Stefano Di Paola demonstrated a new way of manipulating web applications and tricking security systems: HTTP Parameter Pollution (HPP).

This form of attack essentially involves submitting the parameters in GET and POST requests in unusual form or order, or with unusual delimiters. A request like:

GET /foo?par1=val1&par2=val2 HTTP/1.1

will be processed in the normal way, while

GET /foo?par1=val1&par1=val2 HTTP/1.1

with two occurrences of par1 can result in various different server-side variable interpretations, depending on the web server's or application's parsing routine. According to Carettoni and Di Paola, this can cause the application to behave in an unwanted and highly unpredictable way and result in security issues.

Web application firewalls (WAFs) and server security extensions are also vulnerable to HPP attacks. While Apache's ModSecurity module recognises an SQL-injection attack like:

/index.aspx?page=select 1,2,3 from table where id=1

it fails to detect

/index.aspx?page=select 1&page=2,3 from table where id=1

say the security experts. HPP can reportedly also be exploited for launching Cross-Site-Scripting attacks (XSS) on web browsers. The XSS filter of Internet Explorer 8 is apparently among the components vulnerable to this kind of attack.

Carettoni and Di Paola recommend stricter filtering and URL encoding to counteract HPP. They also recommend using strict regular expressions in URL rewriting.

Tuesday, May 26, 2009

The Security Implications Of Google Native Client

This is a wonderful post from Matasano Security about the implication of Google Native Client. This post explains in detail on the difference between the Google Native Client (NaCl) and ActiveX.

Read it at Matasano Security.

Thursday, May 21, 2009

Anatomy of a Cross-site Request Forgery Attack

So far, this is the best article to articulate our well-beloved Cross-site Request Forgery (CSRF) attack.

A Cross-site request forgery attack, also known as CSRF or XSRF (pronounced sea-surf) is the less well known, but equally dangerous, cousin of the Cross Site Scripting (XSS) attack. With XSRF, you make use of victim's browser to perform a transaction (GET or POST) on your behalf to the vulnerable site that pre-authenticated earlier.

In this article, it gives an example where how XSRF works in a POST situation, and provide a few suggestions for mitigation:
  • Validate on Referer (not 100% recommended).
  • Implement of "canary" in the form (typically a hidden input) that the attacker couldn’t know or compute.
  • Implement ViewStateUserKey to makes ViewState more tamper-resistant.
  • Remember that "POST-only" isn't aprotection for XSRF.

Monday, May 04, 2009

BSOD Survival Guide

If you don't know what BSOD is or never see this before, then see this.

Make sure you check this out if you often get BSOD.

Related posts:

Security Breach on Twitter

Twitter has now confirmed that there was unauthorised access to its administration interface. The French blog Korben has published screen-shots which show details of the accounts belonging to Ashton Kutcher, Lily Allen, Britney Spears and Barack Obama.

See more detail at Twitter blog and here.

Tuesday, April 28, 2009


Dranzer, an open source tool released by CERT.

It enables users to examine effective techniques for fuzz testing ActiveX controls in order to provide some insight into the current state of ActiveX security.

Monday, April 27, 2009

iPhone in Action

"iPhone in Action" is a book release in Dec 2008.

The blog for iPhone in Action is at
It is all about iPhone including tutorials, classes, and other info on iPhone SDK programming.

MakeUseof Freebies

This is a list of freebies from MakeUseOf:
  • Shortcut cheatsheets
  • "Where to Watch" Guide for Web
  • MakeUseOf Photoshop Guide
  • Idiot's Ultimate Guide for Building your own computer.
  • MakeUseOf Laptop Buying Guide 2009
  • The Big Book of iTunes
  • MakeUseOf PSP Downgrading and Upgrading Guide
I found the Big Book of iTunes is particularly useful for me.

Vulnerability on OAuth

What's OAuth?
  • It is an an open protocol to allow API access authorization.
  • It allows user to grant access on specific user's data to online providers, like OpenID.
  • OpenID provides the authentication and then OAuth gives access to the user's properties and attributes without giving all other information to the provider.
Summary of the Vulnerability
  • It is similar to a session fixation vulnerability (it's not session related).
  • The attacker can get a legitimate request token from one site, then entice a victim to click on a link with that token.
  • The link brings the victim to a page for approving access for site to access personal information.
  • The attacker can then finishes the authorization and get access to whatever information was approved to be accessed by the site.
The advisory and the detail can be accessed at OAuth site.

Below is a list of affected vendors:

Monday, April 20, 2009

New Linux Rootkit Technique

A new rootkit technique is uncovered by a Linux expert using /dev/mem. This is also less obvious thant the established route via traditional LKM method to hide files or processes, or interfere with network traffic.

The trick is that, without requiring extensive rights, libmemrk uses the /dev/mem device driver to write arbitrary code from userspace into main memory. /dev/mem is an interface that enables use of the physically addressable memory.

Interestingly, some platforms are secure against this new rootkit (by default):
  • Current RedHat and Fedora (incorporates SELinux )
  • Virtual environment (another reason to be virtualized)
The detail of the new rootkit is documented in Malicious Code Injection via /dev/mem.

Sunday, April 19, 2009

Configuring Linux for Oracle Database 10g

This is to show how to configure Linux kernel and prepare for the installation of Oracle Database 10g.

Setup the user and groups:
/usr/sbin/groupadd oinstall
/usr/sbin/groupadd dba
/usr/sbin/groupadd oper
/usr/sbin/useradd -g oinstall -G dba,oper oracle
/usr/bin/passwd oracle
Setup the envrionement:
umask 022




mkdir -p /u01/app/oracle
chown -R oracle:oinstall /u01/app
chmod -R 775 /u01/app

Setup the kernel parameters:
/sbin/sysctl -w kernel.sem = 250 32000 100 128
/sbin/sysctl -w kernel.shmall = 2097152
/sbin/sysctl -w kernel.shmmax = 2147483648
/sbin/sysctl -w kernel.shmmni = 4096
/sbin/sysctl -w fs.file-max = 65536
/sbin/sysctl -w net.ipv4.ip_local_port_range = 1024 65000
/sbin/sysctl -p

>>>> From

Thursday, April 16, 2009

Twitter Attacked by (XSS) Worm

A twitter nowadays does not eat worm? How about a worm is attacking twitter?

Twitter has confirmed the attack and closed a vulnerability on last Saturday (Apr 11, 2009). Over Saturday, a worm which uses a cross site scripting flaw in Twitter profiles has been tricking users of the social networking service and directing them to

The worm consisted of JavaScript code hidden in the "Bio" section of the Twitter profile. A user would be sent to view another users profile which contained the script. The script would wait three seconds and grab the user name and twitter cookie for the user. It then used the Twitter API, with the users credentials to modify that users profile, adding the worm and sending tweets about

Twitter users should check their profile's biography field to see if it has changed and if so, reset it. Twitter has reset the password on a number of affected accounts and those users will need to request a new password to regain access.

Sunday, April 12, 2009

Two Easter Eggs

Two easter eggs I come across from Internet.


uTorrent Tetris

To find it: In uTorrent, go to the Help menu and choose "About uTorrent." Press the letter T.
Purpose: A game of Tetris while you wait for your download to complete.


Picasa Teddy Bears

To find it: In Picasa, press Ctrl+Shift+Y.
Purpose: For fun. Your photo library taken over by teddy bears! Keep hitting the key combo to add more bears.

Friday, April 10, 2009

Building Security in Maturity Model

Software security again.

In 2006, software security found itself embodied in three major methodologies: Microsoft SDL, Cigital Touchpoints, and OWASP CLASP. Of course there are more. BSIMM selects 9 (out of 35 software security initiatives) and creates a Software Security Framework (SSF).

The BSIMM is about helping us to determine where our organization stands with respect to software security initiatives and what steps can be taken to make it more effective.

For a concise description of the BSIMM, read the informIT article Software [In]security: The Building Security In Maturity Model (BSIMM), Confessions of a Software Security Alchemist.

You can download the document from here.

Thursday, April 09, 2009

WiFi at Airport

You're sitting in an airport or in a cafe, and they provide WiFi access with some fees. However, they do allow ICMP or DNS traffic, though for free. What can you do?

The answer is tunneling: IP-over-ICMP or IP-over-DNS.

Check this out to get yourself ready for this situation:

SSL Audit

SSL is not a panacea. Thus, it is important to learn how to audit a SSL/TLS host effectively. This is a compilation of various articles on how to audit a weak SSL host.

Attempt to connect to target (in this case with SSLv2:
~# openssl s_client -no_tls1 -no_ssl3 -connect
Check the output if it works. You can also do this with NMAP (with NSE script):
~# nmap -n -p443 -v --script=sslv2 -iL target.list -oG https.gnmap
Next, we will need to parse the NMAP output and dump the all the X.509 certificates with OpenSSL tool:
~# gawk "/https/{print $0}" https.gnmap > https-ip.txt
~# ./ https-ip.txt
Below is the "":
# You will need OpenSSL for this script to work

# Use OpenSSl to download the cert and extract the right info
# from it witht he X509 utility e.o.
line="$@" # get all args
IP=$(echo "$line" | cut -d" " -f1)
TARGETDOM=$(echo "$line" | cut -d" " -f2)
# Connect to HOST, defer errors to /dev/null,
# send standard output to RAWCERT variable
RAWCERT=$(openssl s_client -connect ${HOST} 2>/dev/null)
# Obtain encoded certificate from RAWCERT
CERTTEXT=$(echo "$RAWCERT" | /
# Process certificate for the different variables
SIGALG=$(echo "$CERTTEXT" | /
openssl x509 -noout -text | /
grep -m 1 "Signature Algo" | cut -d: -f2)
SUBJECT=$(echo "$CERTTEXT" | /
openssl x509 -noout -subject | sed -e 's/subject= //')
ISSUER=$(echo "$CERTTEXT" | /
openssl x509 -noout -issuer | sed -e 's/issuer= //')
START=$(echo "$CERTTEXT" | /
openssl x509 -noout -startdate | cut -d= -f2)
END=$(echo "$CERTTEXT" | /
openssl x509 -noout -enddate | cut -d= -f2)
SERIAL=$(echo "$CERTTEXT" | /
openssl x509 -noout -serial | cut -d= -f2)

#Clean-up dates
START=$(echo "$START" | sed -e 's/GMT//')
START=$(echo "$START" | cut -d" " -f1,2,4)
STARTDAY=$(echo "$START" | cut -d" " -f2)
STARTMONTH=$(echo "$START" | cut -d" " -f1)
STARTYEAR=$(echo "$START" | cut -d" " -f3)

END=$(echo "$END" | sed -e 's/GMT//')
END=$(echo "$END" | cut -d" " -f1,2,4)
ENDDAY=$(echo "$END" | cut -d" " -f2)
ENDMONTH=$(echo "$END" | cut -d" " -f1)
ENDYEAR=$(echo "$END" | cut -d" " -f3)

# Output in CSV format

### File line loop ###
# Store file name

# Make sure we get file name as command line argument
FILE=${1?"No file name specified"}
# Check that file exists and is readable
[ ! -f $FILE ] && { echo "$FILE: does not exist"; exit 1; }
[ ! -r $FILE ] && { echo "$FILE: cannot be read"; exit 2; }

#Open file for reading
exec 3< $FILE

#Process file line by line
while read -u 3 line
# use $line variable to process line
# in processLine() function
processLine $line

# Close file after reading
exec 3<&-

exit 0

Related links:

Advanced Javascript Obfuscation

This is an interesting article at SANS. Once again, this shows why signature scanning will fail most of the time.

Read more.

F-Secure: Security Threat Summary Q1/2009

F-Secure just published their threat summary for the 1st quarter of 2009. It includes:
  • Conficker
  • First SMS worm
  • Threats in social networks.
More info on


Built-in Network Tools in Vista

Windows Vista does come with a number of network tools: 2 new and 10 old tools (in XP).

The 2 new toys:
  1. getmac - display the MAC address
  2. pathping - ping + traceroute
The 10 old toys:
  1. hostname
  2. ipconfig
  3. nslookup
  4. net
  5. nbtstat
  6. netstat
  7. ping
  8. tracert
  9. netsh
  10. route
Related links:

Wednesday, April 08, 2009

!exploitable Crash Analyzer

A new open-source tool to make debugging easier is released by Microsoft. It gives developers a lot of help during the release cycle to build more secure software.
Microsoft released an open-source program designed to streamline the labor-intensive process of identifying security vulnerabilities in software while it’s still under development.

As its name suggests, !exploitable Crash Analyzer (pronounced “bang exploitable crash analyzer”) combs through bugs that cause a program to seize up, and assesses the likelihood of them being exploited by attackers. Dan Kaminsky, a well-known security expert who also provides consulting services to Microsoft, hailed the release a “game changer” because it provides a reliable way for developers to sort through thousands of bugs to identify the several dozen that pose the greatest risk.

“Microsoft has taken years of difficulties with security vulnerabilities and really condensed that experience down to a repeatable tool that takes a look at a crash and says ‘You better take a look at this,’” Kaminsky told The Reg. “What makes !exploitable so fascinating is that it takes at least the first level of this knowledge and packages it up into something that can be in the workflow.”

There is currently an x86 and an x64 version availalble.

You can download the application here: !exploitable Crash Analyzer - MSEC Debugger Extensions

Monday, April 06, 2009

Ophcrack and Rainbow Table

Still remember Ophcrack? How about rainbow table? If you really don't know, check here for Ophcrack and here for rainbow table.

Now there is a free/demo online version I found today. Check out at objectif-securite.

At here, you can dump the hash to get back the password immediately (of course this is based on rainbow table), or vice versa.

Try the following hashes:
  • aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 [EMPTY]
  • e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c [password]
  • ac804745ee68ebea1aa818381e4e281b:3008c87294511142799dca1191e69a0f [admin123]

Picture of the Day: Snow White chomps on poison Apple

Friday, April 03, 2009

One-Line-Web-Server For File Sharing

Today, I learn a way to create a web server within one-line. This allows me to share files with browser access from remote.

TCP port 80

~# python -c "import sys,SimpleHTTPServer;sys.argv=[None,80];SimpleHTTPServer.test()"

Or TCP port 8000

~# python -m SimpleHTTPServer

SANS Consensus Audit Guidelines (Draft 1.0)

On Feb 23, 2009 SANS publishes the first draft of the Consensus Audit Guidelines (CAG). As represented in the press release, the CAG includes 20 controls, 15 of which can be automated and 5 are not.

The 20 Critical Controls subject to automated measurement and validation (AMV):
  1. Inventory of Authorized and Unauthorized Hardware.
  2. Inventory of Authorized and Unauthorized Software.
  3. Secure Configurations for Hardware and Software For Which Such Configurations Are Available.
  4. Secure Configurations of Network Devices Such as Firewalls And Routers.
  5. Boundary Defense
  6. Maintenance and Analysis of Complete Security Audit Logs
  7. Application Software Security ***
  8. Controlled Use of Administrative Privileges
  9. Controlled Access Based On Need to Know
  10. Continuous Vulnerability Testing and Remediation
  11. Dormant Account Monitoring and Control
  12. Anti-Malware Defenses
  13. Limitation and Control of Ports, Protocols and Services
  14. Wireless Device Control
  15. Data Leakage Protection
  16. Secure Network Engineering (not AMV)
  17. Red Team Exercises (not AMV)
  18. Incident Response Capability (not AMV)
  19. Assured Data Back-Ups (not AMV)
  20. Security Skills Assessment and Training to Fill Gaps (not AMV)
Two (2) points I would like to make here:
  • When your only tool is hammer (For*ify), you tend to see every problem as a nail. Hey dude, *** is only 1/20 of the entire infosec.
  • RedTeam Exercise isn't an automated measurement and validation.

Does PCI Works?

This is a news from Computer World.

Payment card industry's data security rules aren't working, critics say; (and of course ) VISA, PCI council continue to defend stand.

Some evidences:
  • Hannaford was certified as PCI-compliant by a 3rd-party assessor in Feb 2008, just 1 day after the company was informed of the system intrusions (which had begun 2 months ago).
  • RBS WorldPay was certified as PCI-compliant prior to breaches that the payment processors disclosed in Dec 2007 and Jan 2008 respectively.

NTFS-hacked in USB without Hacking

I know there are many tools out there to allow you to format a USB thumb/flash drive to NTFS. By default, Windows allow your USB to be formatted to FAT only. Here's the instruction to allow you to format your USB to NTFS without any hacking.
  1. After plug in your USB, open "My computer".
  2. Right click "My Computer, select "Manage".
  3. Open the 'Device Manager' and find your USB drive under the 'Disk Drives' heading.
  4. Right click the drive and select 'Properties'.
  5. Choose the 'Policies' tab and select the 'Optimize for performance' option.
  6. Click 'OK' to close it.
  7. Now, open 'My Computer'.
  8. Right click the USB drive and select 'Format'.
  9. Choose 'NTFS' in the File System dropdown box.
  10. Click 'Start' to format it in NTFS.

Thursday, April 02, 2009

Software Assurance Maturity Model

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. The resources provided by SAMM will aid in:
  • Evaluating an organization’s existing software security practices
  • Building a balanced software security assurance program in well-defined iterations
  • Demonstrating concrete improvements to a security assurance program
  • Defining and measuring security-related activities throughout an organization
SAMM was defined with flexibility in mind such that it can be utilized by small, medium, and large organizations using any style of development. Additionally, this model can be applied organization-wide, for a single line-of-business, or even for an individual project.

Thursday, March 12, 2009

Compiler or Programming Language: Which Came First

Have you ever think about this? Which came first, the compiler or the programming language?

This is like the classic causality dilemma on "chicken and egg" question. Here is what I think the sequence of how it comes:
  1. Machine code: The 1st program was written directly in the hardware's machine code
  2. Assembler (Interpreter): A program written in machine code to interpret ASM into machine code.
  3. Compiler: This is a set of programs (lexical analyser, parser linker etc) which could convert source code to assembler/machine code.

How to Make a Compiler?

If you ever interested in making your own compiler, try this:

Wednesday, March 11, 2009

PDF Exploit PoC without any user interaction

Last week, Belgian security researcher Didier Stevens demonstrated that a PDF exploitation could be possible with the user only selecting the file (the answer lies in Windows Explorer Shell Extensions).

Now he took it even a level further: you can be vulnerable by just having an infected file. The problem lies with the Windows Indexing Service.

Here is still a list of possible countermeasures:
  • Disable JavaScript in Adobe Acrobat Reader.
  • An up-to-date anti-virus.
  • Host-based IDS/IPS signatures.
  • Disable automatic rendering of PDFs in the browser
  • Use an alternative PDF reader like Foxit Reader or Sumatra PDF.
  • Disable or deinstall windows indexing service.

Related posts:

What's Your Location?

There are a few ways provided by Google, to show your location, or geotagging, when you post to your blog site or sending email.

  1. Google Latitude: to see your friends on map. You can check this using your phone, computer, or both.
  2. Gmail Message Signature: Enable "Location in Signature" option in Gmail Labs, and follow by "Append your location to the signature" in Setting page, it will be able to see where you send the email out. With Google Gear install, the Gears Geolocation API can make use of network servers to determines the client's position including the client's IP address and information about any cell towers or WiFi nodes it can detect. Cool!
  3. Blogger Geotagging: This is an option only enabled in Blogger in Draft. It provides an option to add location in the post editor. You can search, zoom, click, drag on a map to choose and save a location.

Tuesday, March 10, 2009

Information Security in Cloud Computing

This is a typical example of information security within cloud computing: you just don't know when will you're vulnerable.

See how Google has handled a bug reported on Google Docs: error allowed unauthorised document access.

Monday, March 09, 2009

Friday, February 27, 2009

Determine What Service Pack Installed

Here's a quick tips to allow you to determine the what's the service pack installed at a server. First login to the server, open a command prompt and type:

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v CSDVersion

For remote server, you can do this:

reg query "\\\HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v CSDVersion
And this version just looks more cool:

for /f "tokens=3*" %x in ('reg query "\\\HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v CSDVersion') do @echo %x %y
Service Pack 2

Wednesday, February 25, 2009

Top Ten Web Hacking Techniques of 2008!

Top Ten Web Hacking Techniques of 2008 from Jeremiah Grossman.

  • (Billy Rios, Nathan McFeters, Rob Carter, and John Heasman)

2. Breaking Google Gears' Cross-Origin Communication Model
  • (Yair Amit)

3. Safari Carpet Bomb
  • (Nitesh Dhanjani)

4. Clickjacking / Videojacking
  • (Jeremiah Grossman and Robert Hansen)

5. A Different Opera
  • (Stefano Di Paola)

6. Abusing HTML 5 Structured Client-side Storage
  • (Alberto Trivero)

7. Cross-domain leaks of site logins via Authenticated CSS
  • (Chris Evans and Michal Zalewski)

8. Tunneling TCP over HTTP over SQL Injection
  • (Glenn Wilkinson, Marco Slaviero and Haroon Meer)

9. ActiveX Repurposing
  • (Haroon Meer)

10. Flash Parameter Injection
  • (Yuval Baror, Ayal Yogev, and Adi Sharabani)

Tuesday, February 24, 2009

Linux LiveCD on Windows

MobaLiveCD is a freeware that will run your Linux LiveCD on Windows thanks to the excellent emulator called "Qemu".

MobaLiveCD allows you to test your LiveCD with a single click : after downloading the ISO image file of your favorite LiveCD, you just have to start it in MobaLiveCD and here you are, without the need to burn a CD-Rom or to reboot your computer.

MobaLiveCD key features:
  • No need to burn the CD-Rom anymore
  • Program without installation that you can start from an USB stick
  • A clear and easy to use interface
  • Light and portable application, packaged in a single executable of 1.6MB only


Thursday, February 19, 2009

TCP/IP Headers

Very nice TCP/IP header drawing diagrams in both PDF and PNG formats. It has IPv4, IPv6, TCP, UDP, and ICMP.


Wednesday, February 18, 2009