Planet OpenVAS

Election results

2008-05-03T21:40:00+00:00

For info, as I've been asked by a couple of people, I've been elected as a city councillor for King's Hedges in Cambridge

Full results:

Candidate	Votes
Neil McGovern (Liberal Democrat)	762
Geri Bird (Labour)	560
Cyril Weinman (Conservative)	419
James Youd (Green)	129

This gave me a majority of 198, a massive improvement of last year's majority of just 18. Huge thank you to everyone who supported me and helped during the campaign period, I'm really grateful.

In your network, pwning your data

2008-05-01T12:24:24+00:00

Securing networks, of both the social and electronic variety interests me. The old saying that No man is an island was never more true than it is now. We're an interconnected species and those connections span the globe. Anyway, with that thought in mind I thought I'd share two interesting developments in the security domain that have occurred this week.

Be careful what you post

2008-04-16T12:18:00+00:00

In follow-up to my previous post, in which the phrase "google for gerri bird cambridge" (which turned up a rather poor lack of reply to a survey) was printed on some campain leaflets, I've come across a slightly different example of how traditional PR ideas may not work online if the people who are doing it don't understand the technology.

The Cambridgeshire County Council have placed on their transport page a link inviting people to view some videos of their new mis^WGuided Busway on YouTube. They've even gone so far as to create a YouTube account for the purpose. Unfortunately, the comments on their first video aren't too favourable, with the vast majority of people hating the idea. Not content with this, a second video was also posted, with exactly the same effect. In retaliation, it seems that their PR department has tried to fake some good reviews, but have been caught out.

So, some simple lessons:

Don't trust user generated content to do your job for you
Don't trust sites you have little control over
Don't try and stuff the ballot by writing like a PR person

Analysis of Debian's CVE-2007-4074 response

2008-04-03T23:02:20+00:00

What follows is an analysis of Debian's response to my advisory regarding a remote code execution vulnerability in the Festival test to speech server.

Be careful what you print

2008-03-29T18:59:00+00:00

For those that don't know, I'm running for local government as the Liberal Democrat candidate for King's Hedges City Councillor in Cambridge.
Part of this involves seeing what the other parties do. I had a leaflet come through the door for the potential Labour candidate, Gerri Bird. It contained the usual bumpf, and a suggestion at the end; "google for gerri bird cambridge".
This could present a problem for Gerri. You're not asking someone to go to a site, where the information you have is constant and of a known quality. In this case, Gerri not replying to a survey from the local cycling organisation is the top hit on Google. As these leaflets are already out in the wild, the instructions can't be changed.

Something to be careful of.

Virus scanning the Debian archive for fun and profit

2008-03-05T21:04:00+00:00

As some people may know, I'm a member of the Debian testing security team. As well as tracking all CVE IDs with which packages they affect, we also keep a list of known embedded code copies. Embedded code copies are a bad thing, as they cause no end of problems for the security teams.

One of the problems we've had to find a solution for is: How do we know what statically compiles against a library, or even worse, ships it's own copy?
So, we're looking for something that looks a particular set of bytes in arbitary executeables; a signature of the library if you will. And we do have a rather good tool that can be used to scanning for binary signatures: clamav :)

Step 1

Create a clamav signature

Clamav have a nice guide on how to create signatures on their site. The method I use is fairly simple: find a unique binary string and pass it to sigtool --hex-dump and place it in a nbd file.

Step 2

Scan the archive

for I in `find /mirror/debian/pool/ -name *all.deb`; do 
	clamscan -i -d smarty.ndb --deb --tempdir=/home/maulkin --no-summary \
	--max-space=1024m --stdout $I >> /home/maulkin/smarty.log; 
done;

Step 3

???

Step 4

PROFIT!!!

While I'm talking about testing security, we're all rather busy at the moment in the team, so we could do with some help! If you fancy helping, have a quick read of the intro and come onto #debian-security on irc.debian.org and say hi!

One for the pentesters...

2008-02-26T19:10:38+00:00

Just a quickie really, and mostly inspired by my cursing of GTK. I was thinking today that what pentesters really want is a nice list of the interesting ports on the target network. OpenVAS can help here, but until now, the client has always defaulted to listing reported issues by IP. So on that note, I just hacked it to allow a default sort order to be specified. Now I can always see the interesting ports first :). Whilst I was at it, I made a few minor tweaks to the server component too. Less memory leaks and compiler warnings ahoy and it now supports logging to syslog as per its Tenable spawned brethren.

$self->{'Fuzzled'} ++;

2008-02-24T04:40:11+00:00

Well, the good news is that I have just tagged Fuzzled rc2.0 in CVS. Hopefully, it should be up on the Portcullis web site by the end of the week.Changes:

What's Tim been hacking now...

2008-02-20T03:03:28+00:00

It's been a while since I last posted anything here, so I thought I'd do a quick brain dump of things I've been working on. If you're a regular visitor to these parts, hopefully you'll spot that the site has had a makeover, however since it's not just the look that matters, I've upgraded it to latest version which you can find in the CVS tree linked to from the downloads page. Whilst it's by no means user friendly hopefully, it's it's getting there little by little. Anyway, onwards...

A quick comparison of top news stories

2008-01-11T15:52:00+00:00

Sweden	UK
Victory for topless bathers Court gives thumbs up to anal massage technique Postcard arrives 25 years late Swedish prostitution: gone or just hidden? Ninety pythons left to die in Swedish cottage	Parted-at-birth twins 'married' Pound at record low against euro Vomiting bug 'hits three million' Mr Potato Head makes octopus pal Ngugi laments Kenya violence

OpenVAS-Client now in sid!

2008-01-08T14:59:33+00:00

It had to happen eventually, after the hard work of Jan, Javier and myself, OpenVAS-Client is now in Debian unstable (aka sid) and can be downloaded from all good mirrors. Now starts the hard work of packaging the server components.

Another year flies by...

2007-12-28T15:21:08+00:00

I appear to have been relatively successful:I passed my CHECK examI maintain 2 Debian packages, with more on the wayI released 7 advisoriesI attended DebConfI released lots of Free SoftwareI released an interesting (I think) paper on Vista gadgetsI travelled a lot and met some interesting people - surviving an earthquake along the way... and OpenVAS grew

Hardening konqil.icio.us

2007-12-18T17:39:11+00:00

I was thinking today about the recent spate of vulnerabilities that have affected Firefox and IE where they execute external programs and it crossed my mind that konqil.icio.us and other scripts of its ilk might be vulnerable in a similar manner. Konqil.icio.us fetches the contents of the bookmarked page and uses this to execute dcop requests using system and Perl's backticks like so:

Tor, privacy and anonymous browsing

2007-12-11T11:45:00+00:00

An interesting discussion appeared on #debian on OFTC regarding TOR. One person was of the view that "many intelligence and other agencies are probably heavily involved in tor". As the discussion continued (yes, I should have pointed out it was OT for the channel...) it appeared that privicy and anonymity were getting confused.

Now, I'm not a huge TOR fan (being an oper on OFTC), but I seriously doubt that government agencies are 'heavily involved'. I was pointed at an article to back this claim up, but the article doesn't. Instead, it (and the original claim) raises a couple of interesting issues.

Firstly, there is a difference between privacy and anonymity, although closely related. Privacy allows you to keep information about yourself secret, and anonymity allows you to keep you yourself secret. In the case linked, although the people browsing were anonymous, and maintained privacy, this was broken when they revealed information about themselves. Breaking this privacy broke their anonymity. TOR doesn't even grantee complete anonymity:

Tor can't solve all anonymity problems. It focuses only on protecting the transport of data. You need to use protocol-specific support software if you don't want the sites you visit to see your identifying information. For example, you can use web proxies such as Privoxy while web browsing to block cookies and withhold information about your browser type. Also, to protect your anonymity, be smart. Don't provide your name or other revealing information in web forms.

[http://www.torproject.org/overview.html.en]

Used properly, TOR can be a very powerful tool to help, but certainly isn't a silver bullet. It needs to be used properly to prevent your identity being known (anonymity). However, without privacy, this is nothing.
Even without these safeguards, it would require significant resources (and may not be possible) to reliably retrieve useful information about one particular person. This leads to the Greater Internet Fuckwad Theory, which is the main issue I have with TOR, but that's a different post.

So, the question is: do you want privacy or anonymity when using the internet? You need to know what you want before you use a tool, as nothing can beat user education on how to keep your browsing details out of the 'wrong hands'.

As ever my timing is impeccable

2007-12-01T10:07:16+00:00

LOL, just a day after I release gpgutils to the world, some dutch folk release details of how they were able to subvert MD5 and produce two Windows executables with different functionality but the same hash. The amusing thing is that previously I'd been supplying signed MD5 hashes for my tools, but the release of gpgutils coincided with my decision to move to supplying MD5 and SHA1 hashes and indeed gpgutils includes such functionality - just in the nick of time it seems. All this does however lead me wondering what the liklihood is of collisions against both algorithms occuring simultaneously. One for the mathmaticians and cryptographers me thinks.

Credit where credit is due

2007-11-20T09:43:45+00:00

If only everyone was like the phpMyAdmin team, I contacted them last Thursday about an issue in the login page of their popular MySQL management interface, and lo, less than a week later, it's resolved. Now to be fair to the rest of the development community, the issue I reported was trivial to identify and fix, however their security process is first class. I reported a similar bug some time back in another web application and it took 22 days to resolve. My hats off to you gentlemen, if only everyone was so easy to work with. PS advisory is in the downloads section.

Fingering DNSMasq

2007-11-19T16:37:04+00:00

Yay, more random queries to help finger your DNS server. DNSMasq supports the following TXT records in the CHAOS class:copyright.bind. returns "Copyright (C) 2000-2007 Simon Kelley"authors.bind. returns "Simon Kelley"version.bind. returns "dnsmasq-2.40"

Rule #1: Do not trust the user

2007-11-05T00:24:50+00:00

So today I was playing with WordPress a little more, upgrading my installation and hardening the configuration as suggested by BlogSecurity and I stumbled across a(nother) minor input validation flaw :/. I say minor because it can't be used to compromise the blog or hosting system, but simply allows the file path to be disclosed. If you're interested have a look at /wp-admin/plugins.php?page=.

Fingering BIND

2007-11-02T02:29:41+00:00

Some time ago, I discussed how it was possible to finger Microsoft's DNS server due to some of the more esoteric RFCs that it implemented. Well today, I want to discuss BIND. BIND supports the following TXT records in the CHAOS class:

my $fuzzer = "Fuz[z]+led" ++;

2007-10-29T23:47:26+00:00

Okay, so Fuzzled 1.1 is finally here. It's a journey and we're by no means at the end of the road. I've been looking at what other fuzzers such as Sully and Peach are doing as well as reading the Fuzzing book by Pedram Amini et al and I'm feeling inspired. As I've also mentioned previously, I have a couple of other single purpose fuzzers in the pipeline relating to specific projects that I've been working on, so feel free to check back for updates. Anyway, Fuzzled 1.1...

Helping script kiddies

2007-10-21T23:31:15+00:00

Okay, so here's the dilemma. Patch has been sent to me for SSHatter to improve the error handling and provide explicit feedback as to why a particular parameter has caused execution to fail. Patch has been supplied by a recognised security researcher. Patch will help idiot script kids. Do I commit? On the one hand, I like patches and I have no doubt it will make using SSHatter easier for the legitimate user, on the other I have no wish to help idiot script kids. As it is I get emails on a semi regular basis asking for help with SSHatter which I tend to ignore. The last one is a case in point, SSHatter reported that it couldn't find Net::SSH::Perl, reporter complained that he neither understood this, nor understood why INSTALL didn't execute (it's a fscking text file) - What should I do?

Hubble, bubble, toil and trouble

2007-10-21T23:00:55+00:00

Having had a busy and very sociable weekend, it's back to work on Monday and for once I'm spending the week in our office. With that in mind, it's a good opportunity to get prepare some things for publication. OpenVAS is number one priority, I need to complete the packaging for Debian including addressing some concerns about its non-free status. There's no good reason for this, but it appears some deprecated documents were left in with copyright statements that prevent modification. The fact that the FTP masters spotted this, again reassures me that Debian is in good hands. As well as OpenVAS, there is the small issue of my KDE paper which is in desparate need of love before I publish it. Since I first wrote it, I've been developing some interesting PoC which need integrating before a final release. Fuzzled 1.1 should be tar'd and signed before the week is over, I just need to chase some of the beta testers to see if there is any feedback. Finally, all being well, I intend to make my PHP fuzzer available for the first time. Yes, that's right, I've written a fuzzer for the PHP interpreter, inspired by Jesse's Javascript fuzzer. All in all, this means a long week ahead, so to sleep, to dream...

Timing attacks for script kiddies

2007-10-06T16:31:38+00:00

I've just been reading Russell Coker on reducing automated attacks against SSH and I must say, his timing couldn't have been worse :/. SSHatter now supports arbitrary ports which largely nullifies his suggestion to change the SSH listening port. Anyway, that isn't the only change I've made in SSHatter 0.6, it will now optionally time login attempts in attempt to enumerate users as described here. I've put together my thoughts in a response on Russell's blog but essentially, investigate the AllowUsers and PasswordAuthentication directives in sshd_config if you really want to reduce these attack.

An interesting critique of MkPasswd

2007-09-22T07:45:12+00:00

A colleague of mine wrote an interesting critique of MkPasswd. Here is my response:However, it is possible to further reduce this bound by observing that the algorithm can never construct a password containing the characters "z", "Z", "9" or "|"

What we have here is a failure to understand

2007-09-17T13:13:23+00:00

Roger said:I'm sorry, we'll have to agree to disagree. I don't see the new attack vector here. I, the attacker, have to make you download my malicious trojan program, which you install on your computer.

Another slice of the gadget pie

2007-09-16T23:29:56+00:00

Firstly, "the sky isn't falling, the risks posed by the gadget API already existed elsewhere in Windows generally, but this is another new attack surface without any legacy dependencies". This is my general view on the gadget API.

More on gadgets...

2007-09-16T11:36:59+00:00

I've had quite a lot of feedback on my paper Next generation malware: Windows Vista's gadget API, below is a sample, with my comments in italic:

Next generation malware: Windows Vista's gadget API

2007-09-13T10:45:31+00:00

Okay, so the paper is up. Abstract is as follows:

Windows has had the ability to embed HTML into it's user interface for many years. Right back to and including Windows NT 4.0, it has been possible to embed HTML into the task bar, but the OS has always maintained a sandbox, from which the HTML has been unable to escape. All this changes with Windows Vista. This paper seeks to inform system administrators, users and the wider community on both potential attack vectors using gadgets and the mitigations provided by Windows Vista.

Kate, Javascript and non-standard APIs

2007-09-07T14:24:06+00:00

The following article is quite interesting in discussing extending Kate with Javascript:

Scripting KatePart with JavaScript

...

Too much information!

2007-09-05T13:44:00+00:00

Providing a lot of information in a bug report is useful. It helps the developer work out what's wrong. However, you should be careful not to reveal too much information as one submitter did to Gnome in their bug report. Have a look (if you're not in work) at the .xsession-errors at the end of their report to see what movies they were playing.

Update: mind you, at least they were vaguely covert, compared to the brutal honesty of this report. Thanks to Florent Bayle for that link.

Tutorial on Fuzzled

2007-09-03T21:08:49+00:00

In preparation for the imminent release of Fuzzled 1.1, I spent this evening writing a short paper entitled Writing a fuzzer using the Fuzzled framework. The paper includes some of my ideas on dismantling protocols, developing protocol modules and identifying vulnerabilities.

Random hackery

2007-08-10T04:26:30+00:00

So what else have I been working recently, more Debian-Sec and OpenVAS stuff, that's for sure. I also made the mistake^Wdecision to apply to become a fully fledged Debian developer. Glutton for punishment, methinks. There's been a lot more besides though and as the title of this posts, a good deal of it has been random hackery. A flavour; Playing with JSFunFuzz and porting it to Konqueror (random crashes ahoy, mostly relating to __proto__, KJS is pretty solid), which I passed on to the KHTML team; Fiddling with Sys::Ptrace, another candidate for including in an upcoming Fuzzled release; Writing an IOSlave fuzzer to expand on the work in Kreating HavoK; Abusing whois servers (for fun and profit), yes another project started :) and generally making a nuisance of myself with the various vulnerability databases for their inadequecies regarding vulnerabilities I've reported. Oh, and I'm in Boston, MA. Take from that what you will, I'm busy.

Introducing SSHatter

2007-08-10T04:09:21+00:00

I've been evaluating Parallel::ForkManager recently as a replacement for the convoluted producer/consumer model within Fuzzled and I wanted to see what it could do. Anyway, a couple of hours later and I have a working PoC for a multi-threaded SSH brute forcer, to be known as SSHatter. Anyway, SSHatter is capable of taking a hostname list, a username list and a password list, and iterating through, reporting on successful attempts. I think I'll be adding Parallel::ForkManager to the grand plan for the next public release of Fuzzled. Incidentally, Fuzzled development hasn't been standing still. I'm taking a look at what other fuzzers can do, and figuring out whether I want to implement similar features in mine. I've also been tweaking some of the existing features, fixing bugs and toning the beast, for example Fuzzled's pattern generator now supports a character black list, for overflow testing. The major feature of the next release, aside from this, is the introduction of a rudimentory HTTP injection fuzzer, which takes WebScarab logs and attacks the requests in a systematic manner. It should be out of the door, real soon now.

And the winner is...

2007-08-07T13:35:00+00:00

MJ Ray posted a couple of short summaries as to how the election would have turned out if alternate voting systems had been used. A couple of people asked about others, so here's a nice long list:

Borda,
Borda Elimination,
Minmax,
Nanson,
Ranked Pairs,
Condorcet (SPI),
Condorcet (Debian):

Bdale Garbee
David Graham
Luk Claes
Joshua D. Drake
Martin Zobel-Helas
Joerg Jaspert

Bucklin:

Bdale Garbee
David Graham
Joshua D. Drake
Luk Claes
Joerg Jaspert
Ian Jackson

IRV,
Pluralty:

Bdale Garbee
David Graham
Joshua D. Drake
Martin 'Joey' Schulze
Luk Claes
MJ Ray

Most of these seem to come out in favour of the result we achieved with Condorcet. Plurality (aka: First past the post) and IRV put heavy emphisis on the voters first choice. It doesn't really make sense to compare results from a condorcet ballot with either of these methods. Bucklin is rather meaningless in a multi-winner election.

In answer to "is this type of Condorcet ever likely to elect someone who polarises views", it's possible, but unlikely. IRV and Pluralty are the ones to go for if you want the majority of people unhappy, unlike the others, which produce the majority of people happy.

Irony: German government sponsors hacker tool

2007-07-20T03:13:33+00:00

DirBuster for Debian

2007-07-15T14:32:34+00:00

Since DirBuster is finally out in source form (well done James), I figured it was about time to create a Debian package for it. The fruits of my labour can be found in the Debian-Sec archive,...

It's raining

2007-06-25T17:46:00+00:00

As a load of the UK seems partially under water:

Cheese + Logos

2007-06-04T15:49:00+00:00

Well, my colo box lives again. Ish. It's now running under a Xen instance until the new hardware arrives that'll fix it's blown up PSU. So I can now be contacted via the usual methods again :)

In other news, it seems that the new 2012 logo has been announced. It's really quite foul. Fortunately, others have come up with alternate designs. See image 5. If it gets pulled (very likely) see my mirror.

Planet OpenVAS

2006-03-27T12:29:16+00:00

Planet OpenVAS is open for business!