Dec 30, 2010

Cisco NAT Address Types

Cisco IOS NAT address types can be very confusing. I just read a very good article describing the different types of NAT address. Here's the summary:
  • Inside global: The address of the inside host as seen from the outside
  • Inside local: The address of the inside host as seen from the inside
  • Outside local: The address of the outside host as seen from the inside
  • Outside global: The address of the outside host as seen from the outside
    To read the full article, goto Understanding NAT address types.

    MySEQ Web App

    Nothing fancy, but it is my first (hello world) web app for Google Chrome. I'm following the instruction at http://code.google.com/chrome/apps/docs/developers_guide.html

    Screenshot of Chrome New Tab
    Note: it is the same process how I created for Google Reader Web App at http://myseq.blogspot.com/2010/08/creating-google-reader-web-apps-with.html

    Dec 28, 2010

    Google Hacking Database, GHDB, Google Dorks

    Remember Johnny Long's Google Hacking Database (GHDB)?

    At exploit-DB, it is called 'googledorks': inept or foolish people as revealed by Google. Here are the 2 sites that host the Google Dorks:


    Something Went Wrong with Facebook

    Sorry, something went wrong.

    Dec 27, 2010

    147-year-old Civil War Message Cracked

    There is an encrypted message from 147-year-old Civil War. This six-line message was dated July 4, 1863. It remained a mystery for 147 years, until a CIA codebreaker cracked the message after a museum had the vial opened.

    The piece of paper was rolled up, tied with string and sealed along with a bullet in a glass vial.


    The full text of the message reads:
    'Gen'l Pemberton: You can expect no help from this side of the river. Let Gen'l Johnston know, if possible, when you can attack the same point on the enemy's lines. Inform me also and I will endeavor to make a diversion. I have sent some caps (explosive devices). I subjoin a despatch from General Johnston.'
    The code is called the 'Vigenere cipher,' a centuries-old encryption in which letters of the alphabet are shifted a set number of places so an 'a' would become a 'd' — essentially, creating words with different letter combinations.

    Read more: http://www.dailymail.co.uk/news/article-1341666/CIA-codebreaker-reveals-147-year-old-Civil-War-message-Confederate-desperation.html#ixzz19H4zdu8Q

    Dec 23, 2010

    0day Exploit for WMI Administrative Tools

    Microsoft WMI Administrative Tools is prone to a remote code-execution vulnerability that affects the WMI Object Viewer ('WBEMSingleView.ocx') ActiveX control.

    The vulnerabilities are caused due to the "AddContextRef()" and "ReleaseContext()" methods in the WMI Object Viewer Control (WBEM.SingleViewCtrl.1) using a value passed in the "lCtxHandle" parameter as an object pointer.

    An attacker can exploit this issue by enticing an unsuspecting user to view a malicious webpage. Successful exploits will allow the attacker to execute arbitrary code within the context of the application (typically Internet Explorer) that uses the ActiveX control.

    The vulnerabilities are confirmed in version 1.1 (WBEMSingleView.ocx 1.50.1131.0).

    Workaround:
    Set the kill-bit for the affected ActiveX control.


    PoC Exploit is available at:


    Reference:

    GnackTrack

    GnackTrack is a Live (and installable) Linux distribution designed for Penetration Testing and is based on Ubuntu. Although this sounds like BackTrack, it is most certainly not; it's very similar but based on the much loved GNOME!

    Dec 22, 2010

    Google Chrome is Ready for Enterprise now

    Recently, Google releases a number of tools for enterprise to centrally manage Chrome in AD environment, specifically:

    Enterprises can start centrally roll out and update the browser using Group Policy using the standalone installer at a system-level across the organization.
    • Group Policy for Google Chrome. 
    Google released ADM policy templates to allow admins to enforce the organization's requirements, such as default search provider, default homepage, manage security and privacy including the ability to disable auto-updates.
    This allows enterprises to begin adopting Chrome even while continuing to use Internet Explorer. Moreover, Chrome Frame settings are also configurable through Group Policy.
    One of an interesting feature from the ADM policy is to allow whitelist or blacklist of Chrome extensions. This will help locking down the browser's configuration.


    Dec 20, 2010

    Anti-Thief v3.0

    Just been introduced to new Intel processor's feature called remote-kill switch (Anti-Thief  v3.0). This technology embedded in the CPU (Intel Sandy Bridge) allows the user to remotely disable the processor through 3G, that is, even when the computer is not connected to the Internet or it switched off. The goal is to offer the user the capability to shut down remotely the computer if it is lost or stolen.


    Some extra reading for those interested on this technology:

    • http://www.intel.com/en_US/Assets/PDF/general/br_IT_AntiTheft_vPro.pdf?wapkw=(vpro+antitheft)
    • http://antitheft.intel.com/Libraries/Documents/Intel_R_Anti-Theft_Technology_-_Technology_Brief.sflb.ashx
    • http://download.intel.com/technology/vpro/Whitepaper_AllNew2010IntelCorevProProcessors.pdf

    Dec 18, 2010

    Microsoft Security Essential 2.0

    Microsoft’s Security Essentials has been my favorite anti-malware application since it launched. It’s free, unobtrusive, and it doesn’t slow PC down. Now it’s even better with the new 2.0 release, which adds network filtering, IE integration, heuristic protection:

    • Network Traffic Inspection integrates into the network system and monitors the traffic at a low level without slowing down your PC, so it can actually detect threats before they get to your PC.  
    • Internet Explorer Integration blocks malicious scripts before IE even starts running them—clearly a big security advantage. 
    • Heuristic Scanning Engine finds malware that hasn’t been previously detected by scanning for certain types of attacks. This provides even more protection than just through virus definitions.  

    These new features make MSE on par with other anti-malware applications, especially the heuristic scanning. Download it today at http://www.microsoft.com/security_essentials/default.aspx

    Dec 17, 2010

    Make Simple Things Difficult

    Just read an article by Mark on "A Bluescreen By Any Other Color". It is an example on how to make simple things difficult.

    If you prefer the simple way, go to Change Color for your BSOD and Manual BSOD to get your Red Screen of Death. :-)

    Dec 15, 2010

    Change Display Resolution settings with xrandr

    xrandr is used to set the size, orientation and/or reflection of the outputs for a screen. It can also set the screen size. There are a few global options; the rest modify a particular output and follow the specification of that output on the command line.

    First, to show the current setting and all the supported settings:
    $ xrandr
    This will display the allowed resolutions:
    Screen 0: minimum 320 x 200, current 1024 x 768, maximum 4096 x 4096
    VGA1 connected 800×600+0+0 (normal left inverted right x axis y axis) 267mm x 200mm
    800×600 85.1* +
    640×480 75.0 60.0
    720×400 70.1

    If you want to add a mode with resolution 1024X768, you can enter the following command:
    $ cvt 1024 768
    # 1024×768 59.92 Hz (CVT 0.79M3) hsync: 47.82 kHz; pclk: 63.50 MHz
    Modeline “1024x768_60.00″ 63.50 1024 1072 1176 1328 768 771 775 798 -hsync +vsync

    Now you need to create a modeline:
    $ xrandr --newmode

    Copy the modeline of the previous output to the place mode line:
    $ xrandr --newmode “1024x768_60.00″   63.50  1024 1072 1176 1328  768 771 775 798 -hsync +vsync
    Now you need to add the above mode using the following command:
    $ xrandr --addmode VGA1 1024x768_60.00
    here for VGA1 you have to use what ever that was there for $ xrandr output:
    $ xrandr --output VGA1 --mode 1024x768_60.00
    Running these would change your resolution but this is temporary. Tthese steps were done to make sure that these commands work. Now we need to make these changes permanent.

    Now you need to edit the default file:
    $gksudo gedit /etc/gdm/Init/Default
    Look for the following lines:
    PATH=/usr/bin:$PATH
    OLD_IFS=$IFS

    And add the the following lines below them:
    xrandr --newmode “1024×768″ 70.00 1024 1072 1176 1328 768 771 775 798 -hsync +vsync
    xrandr --addmode VGA1 1024x768_60.00
    xrandr --output VGA1 --mode 1024×768

    Save and exit the file.

    Dec 14, 2010

    Make PDF in Google Reader

    I use Google Reader a lot, to read RSS feeds. Here's a tip on create a sendto to print the post as PDF.

    At your Google Reader settings page, at the "Send To" tab, click "custom link".
    • Name: Joliprint
    • URL: http://api.joliprint.com/api/rest/url/print/s/googlereader?url=${url}
    • Icon URL: http://api.joliprint.com/buttons/joliprint-icon.png

    Or you may prefer to add a bookmarklet at here.

    Note in Reader Bookmarklet

    Today, I learn how to use Google Reader as my bookmark service. I can even create a shortcut to store any interesting article with highlight.

    Steps:
    1. Goto Google Reader, Notes section (upper left corner).
    2. Drag the bookmarklet to your bookmark bar.
    3. Add the link to Google Chrome Search Engine (create shortcut).
    To add into Note in Reader:
    • Browse to any interesting article, and highlight the sentence you like.
    • Either click on the bookmarklet;
    • Or type the shortcut at the address bar.
    • You may tag what you store in the note too.

    Advantages:
    • You can easily search your bookmark items with Google Reader.
    • The bookmark service cache the post even the website is down.
    • Can keep items unread.
    • Easily share them (as they are treated as feeds).

    Dec 13, 2010

    WebSockets disabled in Firefox 4

    HTML5 will be one of the hottest topics this year (and may continue for next 2 years). One of the features is called WebSocket. WebSocket is a technology providing for bi-directional, full-duplex communications channels, over a single Transmission Control Protocol (TCP) socket. It is designed to be implemented in web browsers and web servers but it can be used by any client or server application.

    Due to a desgin vulnerability in WebSocket protocol, Mozilla Foundation has disabled it in the forthcoming Firefox 4 Beta 8 release. The vulnerability, in the code for transparent proxies, can potentially be exploited to poison the proxy cache and inject manipulated pages.

    A group of researchers described the problem on the IETF mailing list in November. In their POC, it could allow attackers to inject a specially crafted JavaScript for Google Analytics into the proxy's cache that will be returned to clients and executed in their browsers after every subsequent request.

    In conventional connections, a client prompts a server to send data via GET or POST. WebSockets allow permanent connections between clients and servers and enable servers to independently send data to a client.

    Currently, WebSocket (ver. 76) is already supported by Chrome and Safari.

    What is HTML5 WebSocket

    One of the cool new features of HTML5 is WebSockets. It allows clients connect to the server without using AJAX requests.
    WebSockets is a technique for two-way communication over one (TCP) socket, a type of PUSH technology. At the moment, it’s still being standardized by the W3C; however, the latest versions of Chrome and Safari have support for WebSockets.
    Websockets can replace long-polling. This is an interesting concept; the client sends a request to the server – now, rather than the server responding with data it may not have, it essentially keeps the connection open until the fresh, up-to-date data is ready to be sent – the client next receives this, and sends another request. This has its benefits: decreased latency being one of them, as a connection which has already been opened does not require a new connection to be established. However, long-polling isn’t really a piece of fancy technology: it’s also possible for a request to time-out, and thus a new connection will be needed anyway.

    Many Ajax applications makes use of the above – this can often be attributed to poor resource utilization.
    Wouldn’t it be great if the server could wake up one morning and send its data to clients who are willing to listen without some sort of pre established connection? Welcome to the world of PUSH technology!

    Here's a short tutorial, that review the process of running a WebSocket server in PHP, and then building a client to send and receive messages to it over the WebSocket protocol.

    Other reference:

    Speed Up Firefox Page Loading Time

    We all know that using RAM disk, we can force the browser to load cached images and data from memory instead of hard disk. However, Firefox can do this without RAM disk.

    Here are the steps:

      1. Type about:config into the address bar
      2. Type browser.cache into the Filter field
      3. Set browser.cache.disk.enable to false (double click it)
      4. Set browser.cache.memory.enable to true (double click it)
      5. Right click > New > Integer; type browser.cache.memory.capacity; press OK
      6. Type in 100000 (this is equivalent to 100 megabytes); press OK
      7. Close all Firefox tabs and windows, and then restart the browser
      You may try using 500000 for 500 MB of cache, or -1 to tell Firefox to dynamically determine the cache size depending on how much RAM you have.

                Dec 11, 2010

                Top 5 Security Threats in HTML5


                HTML4 was introduced in 1997. Recently, with the introduction of new features, HTML5 also brings with it potential security vulnerabilities. This isn't to say that HTML5 is "flawed," but that there will be new attack vectors for hackers to exploit. Some originate from elements of the standard itself, some from implementations of the standard in each browser, and some from the care that developers do (or do not) take in building their HTML5 code.

                1. Cross-Document Messaging

                HTML5 does not itself enforce the origin check in the newly introduced API, called postMessage that creates a framework for a script in one domain to pass data to a script running on another domain. This means a careless developers might not actually implement origin verification, essentially leaving the script exposed to postMessage requests from malicious sites.

                2. Local Storage

                A newly introduced HTML5 feature is offline storage, a client-side SQL database that can be accessed by JavaScript (offline). When storing sensitive data, such as email messages or passwords, it is up to the developers to use SSL and to generate unique database names (to prevent a predictable attack). Also, developers are expected to use prepared SQL statements, rather than constructing queries in JavaScript code, or else hackers could intercept or emulate these queries to execute "SQL injection"

                3. Attribute Abuse

                In addition to providing many new tags, HTML5 also introduces new attributes, some of which may be subject to abuse. A particular threat is when attributes can be used to trigger automatic script execution.

                For example, the new HTML5 attribute "autofocus" will automatically switch browser focus to the specified element—a trick that is sometimes useful for user interface design and previously had been implemented using JavaScript. Other new attributes, including "poster" and "srcdoc," allow page elements to point to external resources—resources that may be malicious in nature. 

                Again, it is not that these attributes are flawed—they exist to enable richer functionality in Web applications—but that they also could be abused by bad actors.

                4. Inline Multimedia and SVG

                With its new <audio>, <video>, and <svg> tags, HTML5 can natively render popular formats and vector graphics without external plug-ins. For example, an earlier version of Google Chrome contained a documented bug in its SVG parser which, could allow scripts to access the object properties of a page hosted on a different domain and violating cross-domain security policy.

                Each browser needs to implement native multimedia handling and crop up for different bugs. And this may lead to multiple attack vectors been exposed.

                5. Input Validation

                HTML5 provides rich client-side input validation, empowering Web developers to define input boundaries alongside the forms themselves, with instant feedback provided to users. Since this input validation syntax is new to HTML5, developers may be more prone to make mistakes in their validation code, such as flawed regular expression (regex) syntax in page code that lead to DoS against browser.


                Related links:
                • https://developer.mozilla.org/en/DOM/window.postMessage
                • http://diveintohtml5.org/offline.html
                • http://code.google.com/p/html5security/wiki/WebSQLDatabaseSecurity
                • http://code.google.com/p/chromium/issues/detail?id=21338
                • https://developer.mozilla.org/en/HTML/HTML5/Forms_in_HTML5#Constraint_Validation


                Dec 10, 2010

                Reverse-Engineering Malware: Malware Analysis Tools and Techniques

                Just completed the GIAC Reverse Engineering Malware (GREM) exam today. 

                This popular course explores malware analysis tools and techniques in depth. FOR610 training has helped forensic investigators, incident responders, security engineers, and IT administrators acquire the practical skills to examine malicious programs that target and infect Windows systems.

                I took this self-study course in Aug 6, 2010. The course begins by establishing the foundation for analyzing malware in a way that dramatically expands upon the findings of automated analysis tools. I've learn how to set up a flexible laboratory to examine the inner workings of malicious software, and how to use the lab to uncover characteristics of real-world malware samples, and then edirect and intercept network traffic in the lab to explore the specimen's capabilities by interacting with the malicious program.

                Syllabus:

                • FOR610.1: Malware Analysis Fundamentals
                • FOR610.2: Reversing Malicious Code
                • FOR610.3: Malicious Web and Document Files
                • FOR610.4: In-Depth Malware Analysis
                • FOR610.5: Examining Self-Defending Malware
                • FOR610.6: Malware Analysis Tournament 

                Link:  Reverse Engineering Malware Training | Malware Tools & Techniques | SANS FOR610

                SANS 610: GREM

                I pass my GREM exam today. :-)

                Dec 3, 2010

                Howto disable the Avahi daemon

                The Avahi daemon is to discover any network resources and connect to them.


                It's primary roles are:

                • Assign an IP address automatically even without the presence of a DHCP server.
                • Act as DNS (each machine is accessible by the name nameMachine.local).
                • Publish services and facilitates access (the local network machines are warned of the opening and closing up a service, facilitating the sharing of files, printers, etc.. )

                It is an implementation of Zeroconf protocol compatible with Apple services. Possible drawbacks of Avahi :


                • It use some memory (about 248 kb).
                • It opens 2 network ports (UDP 32768 and 5353).
                • It has been reported in some cases to decrease network performance.




                The name of daemon may be different but the method remain the same for Debian-based systems
                sudo update-rc.d -f avahi-daemon remove
                To recreate the used links
                sudo update-rc.d avahi-daemon defaults