The thing “plurkers” do after work.

http://3x-comic.blogspot.com

Technorati 3x, plurk, cartoon, comic
Site Search Tags: 3x, plurk, cartoon, comic

This is the first time that I’m going to be posting an article about the DNS issue found by Dan Kaminsky came about. Not because of the severity of this problem, nor is it about how prolific Kaminsky and his skills about hacking is. This post is about how fast something develops within the Internet.

The DNS problem found by Kaminsky, and featured all over the web caused tremendous concern among a lot of security experts, and administrators. Read more to get an idea about DNS and what it does.

In just 2 days since Halvar Flake posted his “speculation” on how Dan Kaminsky can perform a massively successful DNS cache poisoning attack, CaughQ’s Druid and Metasploit’s HD Moore joined efforts in delivering what appears to be the first exploit code specifically targetted at Dan Kaminsky’s DNS bug which Dan happened to be trying to keep hush-hush since its discovery.

The exploit was released and announced at Full Disclosure today at around 3AM local time (11AM Manila Time). Here’s a portion of the mail header for the sent time.

Received: from cpe-24-28-73-141.austin.res.rr.com (HELO ?10.3.3.33?)
(druid@24.28.73.141)
by mail.caughq.org with SMTP; 24 Jul 2008 03:08:35 -0000

Druid and HDMoore’s exploit code, coded on Ruby, appeared to have taken details from Halvar Flake’s “speculation” to implement the attack. Although a lot of people believed that Halvar Flake’s speculation may have been a little off, but it appeared that Halvar may have almost nailed it on the head thus prompting CaughQ and Metasploit to take a look, thus arriving at the latest exploit code.

Disclosure header received at Full Disclosure:


____ ____ __ __
/ \ / \ | | | |
----====####/ /\__\##/ /\ \##| |##| |####====----
| | | |__| | | | | |
| | ___ | __ | | | | |
------======######\ \/ /#| |##| |#| |##| |######======------
\____/ |__| |__| \______/

Computer Academic Underground
http://www.caughq.org
Exploit Code

===============/========================================================
Exploit ID: CAU-EX-2008-0003
Release Date: 2008.07.23
Title: bailiwicked_domain.rb
Description: Kaminsky DNS Cache Poisoning Flaw Exploit for Domains
Tested: BIND 9.4.1-9.4.2
Attributes: Remote, Poison, Resolver, Metasploit
Exploit URL: ------ removed -------
Author/Email: I)ruid
H D Moore
===============/========================================================

Description
===========

This exploit targets a fairly ubiquitous flaw in DNS implementations
which allow the insertion of malicious DNS records into the cache of the
target nameserver. This exploit caches a single malicious nameserver
entry into the target nameserver which replaces the legitimate
nameservers for the target domain. By causing the target nameserver to
query for random hostnames at the target domain, the attacker can spoof
a response to the target server including an answer for the query, an
authority server record, and an additional record for that server,
causing target nameserver to insert the additional record into the
cache. This insertion completely replaces the original nameserver
records for the target domain.

Quoting Dan Kaminsky, “the cat is out of the bag.” Sorry Dan, I don’t think you can stop this now. And I think you know who to blame for this, that is if he/she/they/it can really be blamed?

The rate/speed of development is just truly amazing. The extent?

Technorati DNS, Kaminsky, working+exploit, hacking, metasploit, caughq
Site Search Tags: DNS, Kaminsky, working+exploit, hacking, metasploit, caughq

RISE Security has posted a blog entry announcing that the ASUS Eee PC running Xandros is vulnerable out of the box.

Read the article at the RISE Securite website.

As always, ASUS Eee PC users running Xandros will need to update or patch the bundled Samba. Better yet, install updated Ubuntu versions instead.

Bottomline, relying on a product out of the box is not good for your health or your boxen.

Technorati Tags: Linux, hacking, security, Xandros, ASUS, Eee+PC,
Site Search Tags: Linux, hacking, security, Xandros, ASUS, Eee+PC,

Before I went to Manila and finally here in Benguet for a few-day working trip, I gave a presentation about Linux at the recently concluded Quantum and IT Convention.

They have graciously provided at download of my presentation which can be found at the QITC site’s download page or you can download it directly. Though I will appreciate it if you’ll visit their site to get my presentation.

Though of course, I would like to caution you, most of those things in my presentation are pictures. It’s a visual shell of the talk and the content is in the talk itself. But still, feel free to download the presentation.

Technorati Tags: Quantum+&+IT+Convention, QITC, Linux, Open+Source, presentation, FOSS, evangelism
Site Search Tags: Quantum+&+IT+Convention, QITC, Linux, Open+Source, presentation, FOSS, evangelism

This problem appeared early on sometime around November 25, 2007. To put it simply, its a malware propagation scheme that takes advantage of vulnerabilities of the web servers, CMS, cPanel, some framework, as well as the machines that visit the infected sites. Yes, the magnitude of this exploit is quite huge. What’s more, it infects machines irrespective of operating system platform.

So what is this “problem” really? Its a propagation “framework” if you must — that uses good old Javascript and more of it. It also includes a dash of rogue .htaccess in your Apache server for good measure. How ingenius this is? Well, to put it simply, when you visit an infected site, you’re treated to the sweet taste of Javascript. Except that you’re not seeing anything obvious. Everything is transparent and oblivious to the visitor. You wont feel a thing when this bugger hits your browser. And the icing on the cake on this bugger is that each iteration of the Javascript that will be thrown at your browser will only be once per IP. And no, you cannot wget again using the same IP you’re using now. Once you try and wget the same JS script file, you’d get 404 outright. Once you’re infected, you’ll be deluged with requests from the other infected sites begging your machine to download their own randomly generated versions of the same JS script.

For a more deep down penetration, it scans the visiting machine for vulnerabilities that can be exploited. Yes, your favorite iTunes cuddles with this bugger too along with some of your favorite applications. On Win-machines, ActiveX is the main culprit. However on the server side, whitehats are still continually looking for ways to neutralize this silent threat. The mystery is not on the infection. Its how the servers were compromised and made them host to the rogue code. And most of the detailed discussions were hidden from public view for fear of feeding the kiddies further. Good bet is that automated exploit tools were used to compromise the sheer number of servers in record time. Probably a mutated variant of Metasploit running on various hosts on a botnet simultaneously doing their rounds randomly until an unwitting, seldomly patched server is encountered. And then the carnage starts again until a good number of machines are “droned”. Then when the visits come trickling into the sites, there’s no turning back.

Its already 2008 and this critter is still happily frolicking under the virtual sun. You might have an updated AV (Kaspersky and AVG were known to catch this), however, its a matter of time before you too will be assimilated.

No I won’t give more details about this. Google might give the answer but not me. I’m already busy.

Technorati Tags: Javascript+worm, security, exploit, hacking, penetration, Apache, Linux,
Site Search Tags: Javascript+worm, security, exploit, hacking, penetration, Apache, Linux,

Really funny. I dunno if the guys manning RIAA’s site were really that incompetent. Reading the story from RealTechNews just cracked me up.

It started on Reddit, where a link to a really slow SQL query was posted. The post said “This link runs a slooow SQL query on the RIAA’s server. Don’t click it; that would be wrong.”

Of course, no one listened to that tongue-in-cheek warning. While some users were messing around changing links to point the Pirate Bay (below), for example, someone allegedly wiped the site’s entire database.

The moral of the story? Validate your variables darnit!

RIAA Website Wiped Clean by Hackers

Technorati: RIAA, hacking, SQL, injection
Site Search Tags: RIAA, hacking, SQL, injection

I’ve just seen Baseline’s list of what could be _THE_ list of hackish movies to watch. Here’s the list, with the status whether I’ve seen them or not.

1. Untraceable (haven’t seen it, hunting a copy)
2. Breach (haven’t seen it, hunting a copy)
3. Firewall (haven’t seen it, hunting a copy)
4. Swordfish (seen it, a bit overboard, will watch it max 5 times)
5. Takedown (seen it hundreds of times! will watch it again.)
6. The Matrix (trilogy) (seen it. will watch it max 10 times)
7. Office Space (will watch it, hunting a copy)
8. Pirates of Silicon Valley (seen it hundreds of times! will watch it again.)
9. Enemy of the State (haven’t seen it, hunting a copy)
10. Independence Day (seen it. will watch it max 10 times)
11. James Bond: Golden Eye (seen it, mushy, will watch it max 3 times)
12. Hackers (seen it, lost my copy, hunting a copy, will watch it max 10 times)
13. Strange Days (seen it, mushy, will watch it max 3 times)
14. Sneakers (seen it, not much techiness, will watch it max 3 times)
15. Real Genius (seen it hundreds of times! will watch it again.)
16. Weird Science (seen it hundreds of times! will watch it again.)
17. War Games (seen it hundreds of times! will watch it again.)
18. Star Trek: Wrath of Khan (seen it hundreds of times! will watch it again.)
19. Tron (seen it hundreds of times! will watch it again.)
20. Star Wars (trilogy) (seen it hundreds of times! will watch it again.)
21. 2001: A Space Odyssey (seen it hundreds of times! will watch it again.)
22. Dr. Strangelove (haven’t seen it, hunting a copy)

Once I get a longer free time, I’d grab those copies and watch those that I haven’t seen, or watch my favorites yet again. However, if you know of any good hackish movies, geeky, techie, or sci-fi movies do put them up in the comment section and I’ll look them up.

Enjoy!

View Baseline’s list of Greatest Hacker Movies of All Time.

Technorati: greatest, hacker, movies, Baseline
Site Search Tags: greatest, hacker, movies, Baseline

This just came in yesterday, the Samba team has been granted full access to the documentation of Microsoft’s Network File Protocols. This is a direct result of the European Commission’s decision regarding Microsoft acting as monopoly. Microsoft was ordered to open up some of its proprietary protocols and pay the sum of $613 million in fines.

The landmark decision by the European Commission also grants competitors and opensource developers to release the produced code as purely opensource and will be licensed under GPL2 or GPL3. This allows Samba and other similar projects to be able to fully build opensource products that will be fully compatible with Microsoft’s protocols. The timing is right for this latest development specially with the Samba Team getting their momentum going in providing Active Directory-compatible features with its latest Samba 4 project currently in its alpha stages.

Another project that will benefit to this latest development will be Centeris Likewise.

Additional Reference:
Samba Team Receives Microsoft Protocol Documentation
The PFIF Agreement
Freeing Up the Windows Workgroup Protocols

Technorati: samba, microsoft, protocols, opensource, linux,
Site Search Tags: samba, microsoft, protocols, opensource, linux,